CVE-2026-7273

Vulnerability

A stack-based buffer overflow vulnerability exists in the CGI program of multiple Zyxel GS1900 series switch firmware versions. Affected models include GS1900-8 (up to 2.90(AAHH.1)C0), GS1900-8HP (up to 2.90(AAHI.1)C0), GS1900-10HP (up to 2.90(AAZI.1)C0), GS1900-16 (up to 2.90(AAHJ.1)C0), GS1900-24 (up to 2.90(AAHL.1)C0), GS1900-24E (up to 2.90(AAHK.1)C0), GS1900-24EP (up to 2.90(ABTO.1)C0), GS1900-24HPv2 (up to 2.90(ABTP.1)C0), GS1900-48 (up to 2.90(AAHN.1)C0), and GS1900-48HPv2 (up to 2.90(ABTQ.1)C0). The flaw is triggered via a crafted HTTP request sent to the device's CGI program. [1]

Exploitation

An attacker must be on the same LAN as the vulnerable switch and send a specially crafted HTTP request to the CGI program. No authentication is required to reach the vulnerable code path. The attacker sends an oversized input that overflows a fixed-size stack buffer, corrupting adjacent memory and allowing control of execution flow. [1]

Impact

Successful exploitation enables an unauthenticated, LAN-based attacker to execute arbitrary operating system commands on the switch. This can lead to full compromise of the device, including data exfiltration, network manipulation, and potential pivot attacks within the local network. The CIA impact is high, as the attacker gains command execution with the privileges of the CGI process. [1]

Mitigation

Zyxel has released patched firmware versions for all affected models: GS1900-8 (2.90(AAHH.2)C0), GS1900-8HP (2.90(AAHI.2)C0), GS1900-10HP (2.90(AAZI.2)C0), GS1900-16 (2.90(AAHJ.2)C0), GS1900-24 (2.90(AAHL.2)C0), GS1900-24E (2.90(AAHK.2)C0), GS1900-24EP (2.90(ABTO.2)C0), GS1900-24HPv2 (2.90(ABTP.2)C0), GS1900-48 (2.90(AAHN.2)C0), and GS1900-48HPv2 (2.90(ABTQ.2)C0). Users should upgrade to the latest available firmware for their model. No workarounds are provided in the advisory. [1]