CVE-2026-7287: Zyxel NWA1100-N Firmware DoS Vulnerability

CVE-2026-7287 Overview

CVE-2026-7287 is a buffer overflow vulnerability in the webs binary of Zyxel NWA1100-N customized firmware version 1.00(AACE.1)C0. The flaw affects five web interface handlers: formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert(). A remote unauthenticated attacker can send a crafted HTTP request to trigger a denial-of-service (DoS) condition on the affected access point. The vulnerability is classified under [CWE-120] (Buffer Copy without Checking Size of Input). Zyxel has marked the NWA1100-N as end-of-life, and the device is unsupported at the time of CVE assignment.

Critical Impact

Unauthenticated remote attackers can crash the device over the network with a single crafted HTTP request, disrupting wireless connectivity for all clients.

Affected Products

• Zyxel NWA1100-N access point hardware
• Zyxel NWA1100-N firmware version 1.00(AACE.1)C0
• End-of-life Zyxel NWA1100-N deployments still in production

Discovery Timeline

• 2026-05-12 - CVE-2026-7287 published to NVD
• 2026-05-16 - Last updated in NVD database

Technical Details for CVE-2026-7287

Vulnerability Analysis

The vulnerability resides in the webs HTTP server binary embedded in the NWA1100-N firmware. Five form handler functions process attacker-controlled HTTP parameters without validating input length. When oversized data reaches these handlers, the unchecked copy operation overruns the destination buffer. The overflow corrupts adjacent memory and crashes the webs process, taking the management interface and associated wireless services offline. The attack requires no authentication and no user interaction. Because the NWA1100-N is end-of-life, no vendor patch will be released to address the issue.

Root Cause

The root cause is missing bounds checking on HTTP request parameters processed by formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert(). Each handler copies user-supplied form data into fixed-size stack or heap buffers without validating length, producing a classic [CWE-120] buffer overflow condition.

Attack Vector

An attacker reaches the vulnerable handlers over the network by sending an HTTP POST request to the device's management interface. The request contains oversized values targeting one of the five form parameters. Processing the malformed request triggers the overflow and crashes the web server, producing a denial-of-service condition. The CVSS impact metrics indicate availability-only impact, with no confidentiality or integrity loss.

No verified public proof-of-concept exploit code is available for this vulnerability. The exploitation mechanism involves sending an HTTP request with parameter values exceeding the destination buffer size to any of the five vulnerable form endpoints exposed by the webs binary.

Detection Methods for CVE-2026-7287

Indicators of Compromise

• Unexpected reboots or crashes of NWA1100-N access points coinciding with inbound HTTP traffic to the management interface
• HTTP POST requests to web management endpoints containing abnormally long parameter values for formWep, formWlAc, formPasswordSetup, formUpgradeCert, or formDelcert
• Loss of wireless service or management plane availability following web interface access from untrusted networks

Detection Strategies

• Inspect web server access logs on the access point for requests targeting the five affected form handlers with oversized payloads
• Deploy network intrusion detection signatures that flag HTTP requests with parameter lengths exceeding expected values for Zyxel management endpoints
• Correlate device availability monitoring with HTTP request logs to identify crash patterns tied to specific request signatures

Monitoring Recommendations

• Monitor SNMP or ICMP availability of NWA1100-N devices and alert on unscheduled reboots
• Log all inbound connections to access point management interfaces and review for traffic from unauthorized network segments
• Track repeated HTTP 5xx responses or connection failures from access point web interfaces as early indicators of exploitation attempts

How to Mitigate CVE-2026-7287

Immediate Actions Required

• Restrict access to the NWA1100-N web management interface to trusted management VLANs only, blocking exposure from user and guest networks
• Place affected devices behind a firewall that filters inbound HTTP and HTTPS traffic to the management plane
• Plan replacement of NWA1100-N devices with currently supported Zyxel access points, as the model is end-of-life

Patch Information

No patch is available. Zyxel has classified the NWA1100-N as end-of-life and does not provide security updates for this product. Refer to the Zyxel End-of-Life Support Information page for the official support status. Replacement with a supported model is the only complete remediation.

Workarounds

• Disable remote management on the WAN interface and restrict web administration to a dedicated management network
• Apply access control lists on upstream switches or routers to permit HTTP traffic to the device only from authorized administrator IP addresses
• Segment vulnerable access points onto isolated VLANs to limit blast radius if a DoS condition is triggered

# Example ACL restricting management access to a single admin subnet
access-list 110 permit tcp 10.10.0.0 0.0.0.255 host <NWA1100-N-IP> eq 80
access-list 110 permit tcp 10.10.0.0 0.0.0.255 host <NWA1100-N-IP> eq 443
access-list 110 deny   tcp any host <NWA1100-N-IP> eq 80
access-list 110 deny   tcp any host <NWA1100-N-IP> eq 443