Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-7273

CVE-2026-7273: Zyxel GS1900-48HPv2 Buffer Overflow Flaw

CVE-2026-7273 is a stack-based buffer overflow in Zyxel GS1900-48HPv2 firmware that enables LAN attackers to execute OS commands. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-7273 Overview

CVE-2026-7273 is a stack-based buffer overflow vulnerability [CWE-121] in the Common Gateway Interface (CGI) program of the Zyxel GS1900-48HPv2 switch firmware. The flaw affects firmware versions through 2.90(ABTQ.1)C0. An unauthenticated attacker on the adjacent network can send a crafted HTTP request to trigger the overflow. Successful exploitation can lead to operating system command execution on the affected switch.

Critical Impact

An unauthenticated LAN-based attacker can execute arbitrary OS commands on the switch, gaining control of network infrastructure and enabling further lateral movement.

Affected Products

  • Zyxel GS1900-48HPv2 switch
  • Firmware versions through 2.90(ABTQ.1)C0
  • Zyxel GS1900 series web management interface (CGI program)

Discovery Timeline

  • 2026-06-16 - CVE CVE-2026-7273 published to NVD with vendor security advisory
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-7273

Vulnerability Analysis

The vulnerability resides in the CGI program responsible for handling HTTP requests on the GS1900-48HPv2 web management interface. The CGI binary processes attacker-controlled HTTP input without enforcing proper bounds checking on a stack-allocated buffer. When the supplied input exceeds the expected size, adjacent stack memory is overwritten, including saved return addresses and control data.

Because the affected component is reachable before authentication, the switch trusts the request handler to validate input. The attack does not require credentials or user interaction. The attacker must be on the local or adjacent network segment that can reach the switch's management interface.

Successful exploitation provides command execution in the context of the CGI process, which typically runs with elevated privileges on embedded network devices. This grants control over switching configuration, traffic mirroring, and potentially the entire underlying operating system.

Root Cause

The root cause is missing or insufficient input length validation in the CGI request parser. The handler copies untrusted HTTP request data into a fixed-size stack buffer without verifying the length of the source data. This classifies the issue under CWE-121 (Stack-based Buffer Overflow).

Attack Vector

The attack vector is Adjacent Network (AV:A). An attacker must reach the switch's HTTP management service from the same broadcast domain or LAN segment. No credentials or user interaction are required. Exploitation is performed by issuing a single crafted HTTP request with an oversized parameter.

No verified public proof-of-concept code is available at the time of publication. Technical details on the specific vulnerable CGI handler are described in the Zyxel Security Advisory.

Detection Methods for CVE-2026-7273

Indicators of Compromise

  • Unexpected HTTP POST or GET requests with abnormally large parameter values targeting CGI endpoints on GS1900 switches
  • Crashes, reboots, or watchdog resets of the GS1900-48HPv2 device coinciding with HTTP traffic from a single source
  • Unscheduled changes to switch configuration, VLAN assignments, or port-mirroring rules
  • New or unexpected outbound connections originating from the switch management interface

Detection Strategies

  • Inspect HTTP traffic destined for switch management interfaces and alert on request bodies or URI parameters exceeding expected length thresholds
  • Deploy network IDS signatures that match malformed CGI requests targeting /cgi-bin/ paths on Zyxel GS1900 devices
  • Correlate switch syslog events showing process crashes or service restarts with surrounding HTTP access logs

Monitoring Recommendations

  • Forward switch syslog and authentication logs to a centralized SIEM and alert on management plane anomalies
  • Restrict and monitor which hosts may reach the switch management VLAN, treating any unauthorized HTTP request as suspicious
  • Track firmware version inventory across the GS1900 fleet to confirm patched state and flag drift

How to Mitigate CVE-2026-7273

Immediate Actions Required

  • Identify all Zyxel GS1900-48HPv2 switches and confirm whether they run firmware version 2.90(ABTQ.1)C0 or earlier
  • Apply the patched firmware released by Zyxel as described in the vendor security advisory
  • Restrict access to the switch web management interface to a dedicated management VLAN with strict ACLs
  • Review switch configurations and logs for evidence of unauthorized changes following the disclosure date

Patch Information

Zyxel has released fixed firmware for the GS1900 series. Refer to the Zyxel Security Advisory for the exact patched firmware version and download links for the GS1900-48HPv2 model.

Workarounds

  • Disable the HTTP/HTTPS web management interface on devices that can be administered via console or out-of-band management
  • Place switch management interfaces on an isolated, access-controlled management network unreachable from user VLANs
  • Apply layer-2 ACLs or private VLANs to block untrusted hosts from initiating HTTP sessions to the switch
bash
# Example: restrict switch management access via ACL
# Replace 10.0.99.0/24 with your management subnet
access-list 100 permit tcp 10.0.99.0 0.0.0.255 host <switch-mgmt-ip> eq 80
access-list 100 permit tcp 10.0.99.0 0.0.0.255 host <switch-mgmt-ip> eq 443
access-list 100 deny   tcp any host <switch-mgmt-ip> eq 80
access-list 100 deny   tcp any host <switch-mgmt-ip> eq 443

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne