EIP-2026-101505

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-101505. PoCs published by Marco Ivaldi.

AI-analyzed exploit summary This is a working proof-of-concept exploit for CVE-2022-26531, targeting a format string vulnerability in the zysh binary on Zyxel devices. It leverages the 'ping' command to overwrite the GOT entry of fork() with a shellcode address, achieving remote code execution.

Description

Zyxel zysh - Format string

Exploits (1)

exploitdb WORKING POC

by Marco Ivaldi · textremotehardware

https://www.exploit-db.com/exploits/51786

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2022-26531, targeting a format string vulnerability in the zysh binary on Zyxel devices. It leverages the 'ping' command to overwrite the GOT entry of fork() with a shellcode address, achieving remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions

Auth required

Prerequisites: Authenticated access to the zysh shell · SSH access to the target device

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Zyxel zysh - Format string

Exploitation Summary

Description

Exploits (1)

Details