Zyxel WRE6505 v2: High-Severity Command Injection Vulnerability
The National Vulnerability Database has disclosed CVE-2026-7256, a critical command injection vulnerability impacting Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0. This flaw, rated with a CVSS score of 8.8 (HIGH), allows an adjacent attacker on the LAN to execute arbitrary operating system commands by sending a specially crafted HTTP request to the device’s CGI program.
This isn’t a remote attack across the internet, but it’s still dangerous. An attacker already on the local network — perhaps a guest, or someone who’s already compromised a less-secure device — can leverage this. The AV:A vector means local network access is required, but PR:N means no prior authentication is needed. This is a classic case of an unauthenticated attacker gaining full control once inside the perimeter.
Defenders need to treat devices like the Zyxel WRE6505 v2 as potential pivot points. If these extenders are present, they become easy targets for lateral movement. The lack of specified affected products beyond the single model and firmware version means organizations need to be diligent in their asset inventory and ensure no unpatched, end-of-life devices are lurking on their networks.
What This Means For You
- If your organization uses Zyxel WRE6505 v2, specifically firmware version V1.00(ABDV.3)C0, you are exposed to unauthenticated command injection from adjacent network attackers. Immediately identify these devices on your network. Since this CVE is marked "UNSUPPORTED WHEN ASSIGNED," assume no patch is coming and prioritize isolating or replacing these devices to prevent network compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Zyxel WRE6505 v2 Command Injection via CGI - CVE-2026-7256
title: Zyxel WRE6505 v2 Command Injection via CGI - CVE-2026-7256
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit the command injection vulnerability in Zyxel WRE6505 v2 by looking for specific CGI paths and the presence of 'cmd=' in the query string, indicative of an attempt to execute OS commands.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7256/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/cgi-bin/ மண்டல'
cs-uri-query|contains:
- 'cmd='
cs-method|exact:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7256 | Command Injection | Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 |
| CVE-2026-7256 | Command Injection | CGI program |
| CVE-2026-7256 | Command Injection | crafted HTTP request |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-41872: Kura Sushi App Vulnerable to MITM via Improper Certificate Validation
CVE-2026-41872 — "Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering,...
Zyxel NWA1100-N Firmware DoS: CVE-2026-7287 Buffer Overflow
CVE-2026-7287 — ** UNSUPPORTED WHEN ASSIGNED ** A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in...
CVE-2026-7257 — The Configuration File Of Zyxel WRE6505 Vulnerability
CVE-2026-7257 — ** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0...