CVE-2026-1459 identifies a command injection vulnerability in the Zyxel VMG3625-T50B firmware, versions up to 5.50(ABPM.9.7)C0. The flaw exists in the TR-369 certificate download CGI program, which fails to properly sanitize input before incorporating it into operating system commands. This improper neutralization of special elements (CWE-78) allows an attacker with administrator-level authentication to inject and execute arbitrary OS commands on the device. Because the vulnerability requires administrative privileges, exploitation is limited to users who have already gained elevated access, either legitimately or through prior compromise. The vulnerability has a CVSS 3.1 base score of 7.2, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction needed. Although no public exploits are known at this time, the potential for severe device compromise exists, including unauthorized configuration changes, data exfiltration, or denial of service. The affected device is commonly used in broadband and enterprise network environments, making it a critical concern for network security. The lack of available patches at the time of disclosure necessitates immediate mitigation through access controls and monitoring.

The vulnerability allows an authenticated administrator to execute arbitrary OS commands, potentially leading to full device compromise. This can result in unauthorized disclosure of sensitive configuration data, manipulation or disruption of network traffic, and complete denial of service by destabilizing the device. Given the device’s role in network infrastructure, exploitation could facilitate lateral movement within corporate or ISP networks, enabling attackers to pivot to other critical systems. The high CVSS score indicates a significant risk to confidentiality, integrity, and availability. Organizations relying on Zyxel VMG3625-T50B devices may face operational disruptions, data breaches, and increased attack surface if this vulnerability is exploited. The requirement for admin privileges limits exposure but does not eliminate risk, especially in environments with weak credential management or insider threats.

Until an official patch is released, organizations should implement strict access controls to limit administrative access to trusted personnel only, preferably via secure management networks or VPNs. Enforce strong, unique administrator passwords and consider multi-factor authentication where possible. Monitor device logs and network traffic for unusual command execution patterns or administrative activity. Disable or restrict the TR-369 certificate download CGI interface if feasible. Conduct regular audits of device firmware versions and plan for prompt updates once Zyxel releases a security patch. Network segmentation can help contain potential compromises. Additionally, consider deploying intrusion detection/prevention systems tuned to detect command injection attempts targeting Zyxel devices. Educate administrators about the risks of credential compromise and the importance of secure management practices.