Impact
The vulnerability is a command injection flaw located in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0. An attacker who is physically adjacent to the device on the local network can craft a specific HTTP request that causes the device to execute arbitrary operating‑system commands. The flaw is categorized as CWE‑78, indicating unsafe handling of user input passed to system commands. This weakness allows an attacker to run commands with the privileges of the firmware service, potentially modifying device configuration, accessing stored data, or altering system behavior.
Affected Systems
Zyxel WRE6505 v2 firmware, specifically version V1.00(ABDV.3)C0, is affected.
Risk and Exploitability
The CVSS score of 8.8 classifies this as a high‑severity vulnerability. The EPSS score of 1% indicates a low but nonzero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Because the description states that an attacker must be located on the same LAN segment, the attack vector is local. No additional authentication or privilege escalation steps are described, so compromised access is achieved by simply sending a crafted HTTP request to the vulnerable CGI endpoint. Organizations that host this device on untrusted LAN segments face the risk of local compromise, including potential installation of malicious firmware or pivoting to other network assets.
OpenCVE Enrichment