CVE-2026-4795 Overview
CVE-2026-4795 is a missing authorization vulnerability [CWE-862] affecting Zyxel GS1200v3 series web-managed switches. The flaw allows a LAN-based, unauthenticated attacker to retrieve the system configuration from a log file by sending a crafted HTTP request. Because the device exposes the log endpoint without verifying caller identity, sensitive configuration data leaks to anyone with adjacent network access. Affected models include the GS1200-5v3, GS1200-8v3, GS1200-5HPv3, GS1200-8HPv3, and GS1200-10v3 product lines running vulnerable firmware. Zyxel published a security advisory on May 26, 2026, addressing the issue.
Critical Impact
An unauthenticated attacker on the local network can read the full system configuration, exposing credentials, VLAN topology, and management settings that enable follow-on attacks.
Affected Products
- Zyxel GS1200-5v3 firmware through 1.00(ACPS.2)C0 and GS1200-8v3 firmware through 1.00(ACPT.2)C0
- Zyxel GS1200-5HPv3 firmware through 1.00(ACPU.2)C0 and GS1200-8HPv3 firmware through 1.00(ACPV.2)C0
- Zyxel GS1200-10v3 firmware through 1.00(ACPW.2)C0
Discovery Timeline
- 2026-05-26 - Zyxel publishes security advisory for GS1200v3 series switches
- 2026-05-26 - CVE-2026-4795 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-4795
Vulnerability Analysis
The GS1200v3 web management interface exposes a log file resource over HTTP without enforcing an authentication or authorization check. The switch stores runtime diagnostic data, including portions of the system configuration, inside this log file. When a client requests the resource using a crafted HTTP request, the firmware returns the contents directly to the caller. The disclosed data includes management settings that should remain restricted to authenticated administrators. The Common Weakness Enumeration classification [CWE-862] applies because the server fails to verify that the requester is authorized to access the protected resource. The EPSS probability for this CVE is approximately 0.035% as of May 28, 2026.
Root Cause
The root cause is a missing authorization check on the HTTP handler that serves diagnostic log output. The handler does not validate session cookies, administrator credentials, or any access control token before returning data. Any client capable of reaching the switch management interface receives the log contents on request.
Attack Vector
Exploitation requires adjacent network access, meaning the attacker must reside on the same LAN segment as the switch. The attacker sends a single crafted HTTP request to the management interface. No authentication, user interaction, or specialized tooling is required. The vulnerability affects confidentiality only — the attacker reads configuration data but cannot directly modify settings or disrupt service through this flaw.
No public proof-of-concept code is verified for this vulnerability. See the Zyxel Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-4795
Indicators of Compromise
- Unexpected HTTP GET requests to log file endpoints on the switch management interface from non-administrator hosts on the LAN
- Outbound transfers of configuration-sized payloads from the switch IP to unmanaged or unknown client systems
- Repeated probing of the switch web interface from a single LAN-based source without authenticated session cookies
Detection Strategies
- Inspect switch HTTP access logs, if available, for unauthenticated requests targeting diagnostic or log resources
- Use network detection tooling to flag plaintext HTTP traffic to switch management IPs from non-administrative subnets
- Correlate access attempts against an inventory of approved administrative workstations and alert on deviations
Monitoring Recommendations
- Capture management VLAN traffic and baseline the volume of HTTP requests directed at GS1200v3 switches
- Forward switch syslog output to a centralized log platform and retain it for forensic review
- Alert on configuration changes that follow anomalous read activity, since leaked credentials may enable later authenticated abuse
How to Mitigate CVE-2026-4795
Immediate Actions Required
- Apply the firmware update referenced in the Zyxel security advisory for each affected GS1200v3 model
- Restrict management interface reachability to a dedicated administrative VLAN and block LAN clients from contacting the switch web UI
- Rotate any administrative passwords, SNMP community strings, and shared secrets that the log file may have exposed
Patch Information
Zyxel published patched firmware for the GS1200-5v3, GS1200-8v3, GS1200-5HPv3, GS1200-8HPv3, and GS1200-10v3 series. Refer to the Zyxel Security Advisory for the specific fixed firmware versions and download links for each model.
Workarounds
- Place GS1200v3 switches behind an access control list that permits HTTP management traffic only from designated administrator IP addresses
- Disable the web management interface where the switch can be managed by alternative means until firmware is updated
- Segment unmanaged LAN clients from infrastructure subnets to reduce adjacent network exposure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
