CVE-2025-11847 PUBLISHED

Assigner: Zyxel
Reserved: 16.10.2025 Published: 24.02.2026 Updated: 24.02.2026

A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 4.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Zyxel
Product	VMG3625-T50B firmware
Versions	Default: unaffected Version <= 5.50(ABPM.9.6)C0 is affected

Vendor	Zyxel
Product	WX3100-T0 firmware
Versions	Default: unaffected Version <= 5.50(ABVL.4.8)C0 is affected

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

Problem Types

CWE-476 NULL Pointer Dereference CWE