CVE-2025-11848: Zyxel Ee5301-00 Firmware DoS Vulnerability

CVE-2025-11848 Overview

A null pointer dereference vulnerability exists in the Wake-on-LAN CGI program of multiple Zyxel network devices. This vulnerability affects the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0, among many other affected models. An authenticated attacker with administrator privileges can trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to the vulnerable CGI program.

Critical Impact

Authenticated administrators can crash affected Zyxel devices, causing network service disruption for users dependent on these routers and gateways.

Affected Products

• Zyxel VMG3625-T50B (firmware through 5.50(ABPM.9.6)C0)
• Zyxel WX3100-T0 (firmware through 5.50(ABVL.4.8)C0)
• Zyxel DX3300-T0, DX3300-T1, DX3301-T0 series
• Zyxel EX series (EX2210-T0, EX3300-T0, EX3300-T1, EX3301-T0, EX3500-T0, EX3501-T0, EX3510-B0, EX3510-B1, EX3600-T0, EX5401-B1, EX5510-B0, EX5512-T0, EX5601-T0, EX5601-T1, EX7501-B0, EX7710-B0)
• Zyxel EMG series (EMG3525-T50B, EMG5523-T50B)
• Zyxel PM series (PM3100-T0, PM5100-T0, PM5100-T1, PM7300-T0, PM7500-00)
• Zyxel VMG series (VMG4005-B50A, VMG4005-B60A, VMG8623-T50B)
• Zyxel WX series (WX3401-B1, WX5600-T0, WX5610-B0)
• Additional models: AX7501-B1, DX4510-B0, DX4510-B1, DX5401-B1, EE3301-00, EE5301-00, EE6510-10, GM4100-B0, PE3301-00, PE5301-01, PX3321-T1, PX5301-T0, SCR_50AXE, WE3300-00

Discovery Timeline

• February 24, 2026 - CVE-2025-11848 published to NVD
• February 25, 2026 - Last updated in NVD database

Technical Details for CVE-2025-11848

Vulnerability Analysis

This vulnerability is classified as CWE-476: NULL Pointer Dereference. The flaw resides in the Wake-on-LAN (WoL) CGI program that handles HTTP requests on affected Zyxel devices. When the CGI program processes specially crafted HTTP requests, it fails to properly validate input parameters before dereferencing pointers, leading to a null pointer dereference condition.

The vulnerability requires the attacker to have administrator-level authentication on the device. While this limits the attack surface, it still poses a significant risk in environments where admin credentials may have been compromised or where insider threats exist. Successful exploitation results in a denial-of-service condition, causing the affected device to crash or become unresponsive.

Root Cause

The root cause of CVE-2025-11848 is improper input validation in the Wake-on-LAN CGI handler. The program does not adequately check for null or missing parameters in HTTP requests before attempting to dereference associated pointers. When a malformed request is received with missing or null values where valid data is expected, the program attempts to access memory at address zero, triggering a crash.

This type of vulnerability typically occurs when developers assume that certain input fields will always contain valid data, without implementing proper defensive checks. In embedded device firmware, such oversights can be particularly impactful due to limited error handling capabilities.

Attack Vector

The attack is conducted over the network by sending a crafted HTTP request to the Wake-on-LAN CGI endpoint on the affected device. The attacker must first authenticate as an administrator to the device's web management interface.

Once authenticated, the attacker crafts an HTTP request to the WoL CGI program with specific parameters omitted or set to null values. When the vulnerable code processes this request without proper validation, it attempts to dereference a null pointer, causing the device to crash.

The attack mechanism involves manipulating HTTP request parameters to the Wake-on-LAN CGI endpoint. The vulnerable code fails to validate that required parameters are present and non-null before processing them. When these validation checks are missing, the null pointer dereference occurs during request handling. For detailed technical information, refer to the Zyxel Security Advisory.

Detection Methods for CVE-2025-11848

Indicators of Compromise

• Unexpected device reboots or crashes of Zyxel routers and gateways
• Authentication logs showing administrator login followed by requests to Wake-on-LAN CGI endpoints
• Web server access logs containing malformed or unusual requests to WoL-related URLs
• Network connectivity outages correlated with administrative access events

Detection Strategies

• Monitor web server access logs on Zyxel devices for requests to Wake-on-LAN CGI endpoints with missing or malformed parameters
• Implement network-based intrusion detection rules to identify suspicious HTTP requests targeting Zyxel device management interfaces
• Configure SIEM alerts for patterns of device instability or crashes following administrative authentication events
• Deploy network monitoring to detect anomalous traffic patterns to device management ports (typically port 80 or 443)

Monitoring Recommendations

• Enable comprehensive logging on Zyxel devices to capture all administrative actions and CGI requests
• Implement centralized log collection for all network infrastructure devices to correlate potential attack patterns
• Set up availability monitoring for critical Zyxel devices with automatic alerting on unexpected downtime
• Regularly review administrator access logs to identify unauthorized or suspicious login activity

How to Mitigate CVE-2025-11848

Immediate Actions Required

• Check firmware versions on all affected Zyxel devices and compare against the vulnerability criteria
• Restrict administrative access to trusted networks only using firewall rules or access control lists
• Implement strong authentication practices including unique, complex passwords for administrator accounts
• Disable remote management access if not required, limiting exposure to internal networks only
• Monitor for and apply firmware updates from Zyxel as they become available

Patch Information

Zyxel has released a security advisory addressing this vulnerability along with command injection vulnerabilities in the same product families. Organizations should review the Zyxel Security Advisory for specific firmware update information for their affected models.

Contact Zyxel support or check the vendor's download portal for updated firmware versions that address CVE-2025-11848. Prioritize updates for devices exposed to less-trusted networks or those with a higher risk of administrator credential compromise.

Workarounds

• Limit administrative access to the device management interface to trusted IP addresses only
• Place network management interfaces on isolated management VLANs with restricted access
• Implement network-level access controls to prevent unauthorized parties from reaching device management ports
• Consider disabling the Wake-on-LAN feature if it is not required for operations

# Example: Restrict management access using firewall rules (adapt to your firewall)
# Allow management access only from trusted management subnet
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP