CVE-2026-1460

Summary

A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device.

Affected Software

VendorProductVersion RangeStatus
ZyxelDX3301-T0 firmware<= 5.50(ABVY.7.1)C0affected
ZyxelEX3301-T0 firmware<= 5.50(ABVY.7.1)C0affected

Weaknesses

  • CWE-78: CWE-78 Improper neutralization of special elements used in an OS command ('OS command injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References