CVE-2025-11845 is a null pointer dereference vulnerability classified under CWE-476 found in the certificate downloader CGI program of Zyxel VMG3625-T50B and WX3100-T0 firmware versions up to 5.50(ABPM.9.6)C0 and 5.50(ABVL.4.8)C0 respectively. The flaw occurs when an authenticated attacker with administrator-level privileges sends a crafted HTTP request to the vulnerable CGI endpoint, causing the program to dereference a null pointer. This results in a denial-of-service (DoS) condition, effectively disrupting the availability of the affected device’s services. The vulnerability does not allow for unauthorized access, data leakage, or code execution, but it can interrupt network connectivity or device management functions. Exploitation requires network access to the device’s management interface and valid administrator credentials, limiting the attack surface. No public exploits or active exploitation have been reported to date. The CVSS v3.1 base score is 4.9, indicating a medium severity primarily due to the impact on availability and the requirement for high privileges. The vulnerability affects specific Zyxel firmware versions, which are commonly used in certain enterprise and ISP environments. No patches have been linked yet, so mitigation currently relies on access control and monitoring.

The primary impact of CVE-2025-11845 is denial of service on affected Zyxel devices, which can disrupt network connectivity, device management, or certificate handling functions. For organizations relying on these devices for critical network infrastructure, this could lead to temporary loss of internet access or degraded network performance. Since exploitation requires administrator privileges, the risk is mitigated somewhat by internal access controls; however, if an attacker gains such privileges through other means, they could leverage this vulnerability to cause service outages. The vulnerability does not compromise confidentiality or integrity, so data breaches or unauthorized changes are not directly enabled by this flaw. The disruption could affect ISPs, enterprises, or managed service providers using these Zyxel models, potentially impacting customer service and operational continuity. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future exploitation.

Organizations should immediately audit and restrict administrative access to Zyxel VMG3625-T50B and WX3100-T0 devices, ensuring only trusted personnel have credentials. Network segmentation and firewall rules should limit access to device management interfaces from untrusted networks. Monitoring for unusual HTTP requests to the certificate downloader CGI endpoint can help detect attempted exploitation. Since no official patches are currently linked, organizations should engage with Zyxel support for firmware updates or advisories. Implementing multi-factor authentication for administrative access can further reduce risk. Regularly backing up device configurations and having failover network paths can minimize operational impact if a DoS occurs. Finally, maintaining an inventory of affected devices and planning timely firmware upgrades once patches are released is critical for long-term mitigation.