CVE-2025-8693

HIGH

Zyxel DX3300-T0 Firmware < 5.50(ABVY.6.3)C0 - Authenticated OS Command Injection via priv Parameter

Title source: llm

Description

A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute operating system (OS) commands on an affected device.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025

Scores

CVSS v3 8.8

EPSS 0.0013

EPSS Percentile 32.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (50)

zyxel/ax7501-b0_firmware < 5.17\(abpc.6.1\)c0

zyxel/ax7501-b1_firmware < 5.17\(abpc.6.1\)c0

zyxel/dm4200-b0_firmware < 5.17\(acbs.1.3\)c0

zyxel/dx3300-t0_firmware < 5.50\(abvy.6.3\)c0

zyxel/dx3300-t1_firmware < 5.50\(abvy.6.3\)c0

zyxel/dx3301-t0_firmware < 5.50\(abvy.6.3\)c0

zyxel/dx4510-b1_firmware < 5.17\(abyl.9\)c0

zyxel/dx5401-b0_firmware < 5.17\(abyo.7\)b2

zyxel/dx5401-b1_firmware < 5.17\(abyo.7\)b2

zyxel/ee3301-00_firmware < 5.63\(acmu.1.1\)c0

... and 40 more

Published Nov 18, 2025

Tracked Since Feb 18, 2026