The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-6599

CVE-2025-6599: Zyxel LTE3301-Plus Firmware DoS Vulnerability

CVE-2025-6599 is a denial-of-service flaw in Zyxel LTE3301-Plus firmware that enables Slowloris-style attacks against the web server. This article covers the technical details, affected versions, and mitigation strategies.

Published: April 21, 2026

CVE-2025-6599 Overview

An uncontrolled resource consumption vulnerability has been identified in the web server component of numerous Zyxel network devices. This vulnerability allows remote attackers to perform Slowloris-style denial-of-service (DoS) attacks against the web management interface of affected devices. The attack exploits how the web server handles concurrent HTTP connections, enabling an attacker to exhaust server resources by maintaining multiple incomplete connections.

Critical Impact

Attackers can temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, potentially preventing administrators from managing critical network infrastructure during an attack.

Affected Products

  • Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier
  • Zyxel 4G LTE/5G NR CPE devices (LTE3301-Plus, NR5103, NR5103E, NR5309, NR7302, NR7303 series)
  • Zyxel DSL/Ethernet CPE devices (DX/EX/VMG/EMG series)
  • Zyxel Fiber ONTs (PM/PX/AX series)
  • Zyxel Nebula FWA series (FWA505, FWA510, FWA515, FWA710)
  • Zyxel Security Routers and Wireless Extenders (SCR 50AXE, WX/WE series)

Discovery Timeline

  • November 18, 2025 - CVE-2025-6599 published to NVD
  • December 16, 2025 - Last updated in NVD database

Technical Details for CVE-2025-6599

Vulnerability Analysis

This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The web server embedded in affected Zyxel devices fails to properly limit the number of concurrent connections or enforce appropriate connection timeouts. When an attacker initiates multiple HTTP connections and intentionally sends data at an extremely slow rate—or leaves connections open without completing the HTTP request—the server's connection pool becomes exhausted.

The Slowloris attack technique is particularly effective against web servers with limited connection handling capacity, which is common in embedded devices like routers and network appliances. Unlike volumetric DDoS attacks, Slowloris requires minimal bandwidth and can be executed from a single machine, making it accessible to attackers with limited resources.

Root Cause

The root cause lies in the web server's resource management implementation. The affected firmware versions do not implement adequate connection timeouts or rate limiting for incoming HTTP connections. The web server maintains open connections waiting for complete HTTP requests without enforcing a reasonable maximum wait time or connection limit per source IP address. This design flaw allows an attacker to consume all available connection slots, preventing legitimate users from accessing the management interface.

Attack Vector

The attack can be launched remotely over the network without requiring authentication. An attacker sends partial HTTP requests to the target device's web management interface and maintains these connections by periodically sending additional HTTP headers. The server keeps these connections open, waiting for the complete request that never arrives. By opening hundreds or thousands of such connections, the attacker exhausts the server's connection pool.

While other networking services such as routing, DHCP, and data forwarding remain unaffected, the denial of access to the web management interface can significantly impact an organization's ability to respond to network incidents or perform configuration changes during an attack.

Detection Methods for CVE-2025-6599

Indicators of Compromise

  • Unusually high number of concurrent TCP connections to port 80 or 443 on affected devices from single or limited source IP addresses
  • Web management interface becomes unresponsive or extremely slow while other device functions continue normally
  • Log entries showing numerous incomplete HTTP requests or connection timeouts
  • Elevated memory or connection tracking resource utilization on the device

Detection Strategies

  • Monitor network traffic for patterns consistent with Slowloris attacks, including many connections with minimal data transfer
  • Implement connection rate monitoring to detect anomalous spikes in TCP connection attempts to device management interfaces
  • Configure SIEM rules to alert on repeated HTTP request timeouts from the same source addresses
  • Deploy network-based intrusion detection signatures for known Slowloris attack patterns

Monitoring Recommendations

  • Establish baseline metrics for normal web management interface connection patterns
  • Monitor device resource utilization including active connection counts and memory usage
  • Configure alerting thresholds for connection pool exhaustion indicators
  • Review device logs regularly for signs of connection flooding or timeout errors

How to Mitigate CVE-2025-6599

Immediate Actions Required

  • Apply the latest firmware updates from Zyxel that address this vulnerability
  • Restrict web management interface access to trusted IP addresses or networks using firewall rules
  • Consider disabling HTTP/HTTPS management interface access from untrusted networks (WAN side)
  • Implement network-level rate limiting for connections to device management interfaces
  • Enable any available connection timeout or rate limiting features on the affected devices

Patch Information

Zyxel has released security advisories and firmware updates addressing this vulnerability. Administrators should consult the Zyxel Security Advisory for device-specific firmware versions that contain the fix. Organizations should prioritize updating all affected devices, particularly those with management interfaces exposed to untrusted networks.

Workarounds

  • Restrict management interface access to internal networks only by configuring firewall rules to block external access to ports 80 and 443
  • Implement an external reverse proxy or web application firewall with Slowloris protection in front of device management interfaces
  • Use out-of-band management networks for critical network infrastructure devices
  • Consider temporarily disabling the web management interface and using CLI-based management methods where available
bash
# Example firewall rule to restrict management access (adjust for your environment)
# Allow management access only from trusted admin network
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechZyxel
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • Vendor Resources
  • Zyxel Security Advisory on Vulnerabilities
  • Related CVEs
  • CVE-2026-6058: Zyxel WRE6505 v2 DoS Vulnerability
  • CVE-2025-11847: Zyxel LTE3301-Plus Firmware DoS Vulnerability
  • CVE-2025-11846: Zyxel LTE3301-Plus Firmware DoS Vulnerability
  • CVE-2025-11845: Zyxel LTE3301-Plus Firmware DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English