CVE-2026-1460: Zyxel Routers Vulnerable to Admin Command Injection

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycommand-injectioncwe-78
CVE-2026-1460: Zyxel Routers Vulnerable to Admin Command Injection

The National Vulnerability Database reports CVE-2026-1460, a post-authentication command injection vulnerability impacting Zyxel DX3301-T0 and EX3301-T0 routers. Specifically, the flaw resides in the “DomainName” parameter within the DHCP configuration file. This vulnerability affects firmware versions up to 5.50(ABVY.7.1)C0.

An authenticated attacker with administrator privileges can exploit this vulnerability to execute arbitrary operating system commands on the affected device. With a CVSS score of 7.2 (HIGH), this vulnerability, categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), represents a significant risk for organizations that have not properly secured their administrative interfaces.

While this requires prior administrator access, it’s a critical escalation path. If an attacker gains initial access through other means – perhaps via a phishing campaign targeting IT staff or a weak default credential – this command injection provides full device compromise. Defenders must assume that once an adversary is on the network, they will seek to pivot and escalate privileges. This vulnerability offers a direct route to complete control over the router, which can then be used for network reconnaissance, traffic manipulation, or establishing persistence.

What This Means For You

  • If your organization uses Zyxel DX3301-T0 or EX3301-T0 routers, you need to verify firmware versions immediately. Prioritize patching to versions beyond 5.50(ABVY.7.1)C0. Furthermore, rigorously audit your administrative access controls for these devices. This isn't a zero-day for the masses, but it's a critical post-authentication flaw that an attacker *will* leverage if they get a foothold. Strong password policies, MFA for administrative interfaces, and network segmentation isolating management planes are non-negotiable.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1071.004 Application Layer Protocol: DNS Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2026-1460: Zyxel Router Admin Command Injection via DomainName

Sigma YAML — free preview 
title: CVE-2026-1460: Zyxel Router Admin Command Injection via DomainName
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-1460 by targeting the DomainName parameter in the DHCP configuration of Zyxel routers. This rule specifically looks for the '/cgi-bin/zyadmind' path and the presence of 'DomainName=' in the URI query, indicative of the command injection vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-1460/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/cgi-bin/zyadmind'
      cs-uri-query|contains:
          - 'DomainName='
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-1460 Command Injection Zyxel DX3301-T0 firmware versions through 5.50(ABVY.7.1)C0
CVE-2026-1460 Command Injection Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0
CVE-2026-1460 Command Injection Vulnerable parameter: 'DomainName' in DHCP configuration file
CVE-2026-1460 Privilege Escalation Requires authenticated attacker with administrator privileges

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 06:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7223: BigSweetPotatoStudio HyperChat SSRF Vulnerability

CVE-2026-7223 — A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

TencentCloudBase CloudBase-MCP SSRF Vulnerability (CVE-2026-7221)

CVE-2026-7221 — A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7220: FastlyMCP Command Injection Exposes Infrastructure

CVE-2026-7220 — A vulnerability has been found in jackwrichards FastlyMCP up to 6f3d0b0e654fc51076badc7fa16c03c461f95620. This impacts an unknown function of the file fastly-mcp.mjs of the component...

vulnerabilityCVEhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma