CVE-2026-3870 Overview
CVE-2026-3870 is a buffer overflow vulnerability [CWE-120] in the Universal Plug and Play (UPnP) AddPortMapping() command implementation of the Zyxel VMG4005-B50B DSL Ethernet customer premises equipment (CPE). The flaw affects firmware versions through 5.13(ABRL.5.4)C0. An adjacent network attacker can send crafted UPnP requests to overflow an internal buffer and cause a temporary denial-of-service (DoS) condition against the UPnP function of the device. Exploitation requires no authentication and no user interaction, but the attacker must reside on the same local network segment as the affected device.
Critical Impact
An unauthenticated attacker on the adjacent network can disrupt the UPnP service on affected Zyxel VMG4005-B50B routers, impacting dynamic port-mapping functionality used by downstream applications.
Affected Products
- Zyxel VMG4005-B50B DSL Ethernet CPE
- Firmware versions through 5.13(ABRL.5.4)C0
- UPnP AddPortMapping() command handler
Discovery Timeline
- 2026-06-02 - CVE-2026-3870 published to NVD
- 2026-06-02 - Zyxel publishes security advisory for UPnP buffer overflow vulnerabilities
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-3870
Vulnerability Analysis
The vulnerability resides in the UPnP service handler that processes AddPortMapping() SOAP requests on the Zyxel VMG4005-B50B. UPnP AddPortMapping() allows a LAN client to instruct the gateway to create a Network Address Translation (NAT) port-forwarding rule. The handler fails to enforce proper bounds checking when copying one or more arguments from the incoming SOAP envelope into a fixed-size stack or heap buffer. When the input length exceeds the destination buffer size, adjacent memory is overwritten, corrupting program state and causing the UPnP daemon to crash. The condition is transient: only the UPnP service is impacted, and routing, firewall, and management functions remain available. The CWE-120 classification ("Buffer Copy without Checking Size of Input") aligns with the missing length validation on user-supplied UPnP parameters.
Root Cause
The root cause is an unchecked memory copy operation in the UPnP AddPortMapping() parameter parser. SOAP arguments such as NewExternalPort, NewInternalClient, NewPortMappingDescription, or NewProtocol are copied into a fixed-size buffer without validating the source length against the destination capacity. This is a classic CWE-120 boundary error pattern in embedded C network services.
Attack Vector
Exploitation requires adjacent network access, typically a host on the same LAN or Wi-Fi segment as the router. The attacker sends a crafted UPnP SOAP POST request to the device's UPnP control URL with an oversized argument value. No authentication is required because UPnP control endpoints on consumer CPE are generally unauthenticated by design. The result is corruption of the UPnP daemon's memory and a service crash, denying port-mapping operations to legitimate clients until the daemon restarts.
No verified public exploitation code is available. See the Zyxel Security Advisory on Buffer Overflow for vendor-supplied technical details.
Detection Methods for CVE-2026-3870
Indicators of Compromise
- Repeated crash or restart events for the UPnP daemon (commonly miniupnpd or a Zyxel-branded UPnP process) in device system logs.
- Loss of dynamic port-forwarding functionality reported by LAN applications such as gaming consoles, VoIP clients, or peer-to-peer software.
- Inbound UPnP SOAP requests to TCP port 5000 or 49152-65535 containing abnormally large AddPortMapping argument values.
Detection Strategies
- Capture LAN traffic at the router and inspect HTTP/SOAP payloads for AddPortMapping requests where any argument exceeds typical lengths (for example, descriptions longer than 64 bytes or hostnames longer than 255 bytes).
- Correlate device syslog events showing UPnP daemon termination with source IP addresses of recent UPnP control requests.
- Monitor SNMP or syslog feeds from the CPE for repeated UPnP service restarts within short time windows.
Monitoring Recommendations
- Forward Zyxel CPE syslog output to a central log collector and alert on UPnP service crash strings.
- Baseline normal UPnP request volume per LAN host to detect anomalous bursts of malformed AddPortMapping calls.
- Track firmware version inventory across managed CPE fleets to identify devices still running versions through 5.13(ABRL.5.4)C0.
How to Mitigate CVE-2026-3870
Immediate Actions Required
- Apply the fixed firmware published in the Zyxel security advisory as soon as it is available for the VMG4005-B50B platform.
- Disable UPnP on the affected router if dynamic port mapping is not required by LAN applications.
- Restrict LAN access to trusted devices, since exploitation requires an attacker on the adjacent network.
Patch Information
Zyxel has published a security advisory covering buffer overflow vulnerabilities in the UPnP function of certain 4G LTE, 5G NR, and DSL Ethernet CPE devices. Administrators should consult the Zyxel Security Advisory on Buffer Overflow for the specific fixed firmware version for the VMG4005-B50B and follow the vendor's upgrade procedure.
Workarounds
- Disable the UPnP service from the router's web management interface under the NAT or UPnP configuration page.
- Segment untrusted devices (guest Wi-Fi, IoT) onto a separate VLAN that cannot reach the router's UPnP control endpoint.
- Block inbound UPnP SOAP requests from untrusted LAN segments using the router's built-in firewall rules where supported.
# Configuration example: disable UPnP via Zyxel CLI
configure terminal
no ip upnp
write memory
exit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
