CVE-2025-8693

Q: What is the severity of CVE-2025-8693?

CVE-2025-8693 has a CVSS score of 8.8 (HIGH). A post-authentication command injection vulnerability in Zyxel DX3300-T0 firmware allows authenticated attackers to execute arbitrary operating system commands on affected devices. This affects Zyxel DX3300-T0 devices running firmware version 5.50(ABVY.6.3)C0 and earlier. Attackers with valid credentials can gain full control of the device.

8.8 HIGH

Remote Code Execution

📋 TL;DR

A post-authentication command injection vulnerability in Zyxel DX3300-T0 firmware allows authenticated attackers to execute arbitrary operating system commands on affected devices. This affects Zyxel DX3300-T0 devices running firmware version 5.50(ABVY.6.3)C0 and earlier. Attackers with valid credentials can gain full control of the device.

💻 Affected Systems

Products:

Zyxel DX3300-T0

Versions: 5.50(ABVY.6.3)C0 and earlier

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have valid authentication credentials. Default credentials may be present in some deployments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, pivot to internal networks, intercept/modify traffic, or use device as botnet node.

🟠

Likely Case

Attacker with stolen/default credentials gains full administrative control of device, enabling network reconnaissance, credential harvesting, or lateral movement.

🟢

If Mitigated

With strong authentication and network segmentation, impact limited to single device compromise without lateral movement capability.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but command injection is straightforward once authenticated. No public exploit code available as of advisory date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for latest patched version

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025

Restart Required: Yes

Instructions:

1. Access Zyxel support portal. 2. Download latest firmware for DX3300-T0. 3. Backup current configuration. 4. Upload firmware via web interface. 5. Apply update and restart device.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative interface access to trusted IP addresses only

Configure firewall rules to restrict access to management interface

Strong Authentication Enforcement

all

Enforce complex passwords and disable default credentials

Change default admin password to complex unique password

🧯 If You Can't Patch

Isolate device in separate VLAN with strict firewall rules
Implement network monitoring for suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System Info > Firmware Version

Check Version:

Web interface: System Info > Firmware Version

Verify Fix Applied:

Verify firmware version is newer than 5.50(ABVY.6.3)C0

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unexpected outbound connections from device
Unusual traffic patterns to/from management interface

SIEM Query:

source="zyxel*" AND (event_type="command_execution" OR auth_success="true" AFTER auth_failure>3)

📊 Metadata

CVE ID: CVE-2025-8693

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.23% exploit probability (45.8th percentile)

Published: November 18, 2025

Last Updated: December 15, 2025

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-uncontrolled-resource-consumption-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-11-18-2025 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ax7501 B0 Firmware by Zyxel

Ax7501 B1 Firmware by Zyxel

Dm4200 B0 Firmware by Zyxel

Dx3300 T0 Firmware by Zyxel

Dx3300 T1 Firmware by Zyxel

Dx3301 T0 Firmware by Zyxel

Dx4510 B1 Firmware by Zyxel

Dx5401 B0 Firmware by Zyxel

Dx5401 B1 Firmware by Zyxel

Ee3301 00 Firmware by Zyxel

Ee5301 00 Firmware by Zyxel

Ee6510 10 Firmware by Zyxel

Emg3525 T50b Firmware by Zyxel

Emg5523 T50b Firmware by Zyxel

Emg5723 T50k Firmware by Zyxel

Ex3300 T0 Firmware by Zyxel

Ex3300 T0 Firmware by Zyxel

Ex3300 T1 Firmware by Zyxel

Ex3301 T0 Firmware by Zyxel

Ex3500 T0 Firmware by Zyxel

Ex3501 T0 Firmware by Zyxel

Ex3510 B0 Firmware by Zyxel

Ex3510 B1 Firmware by Zyxel

Ex3600 T0 Firmware by Zyxel

Ex5401 B0 Firmware by Zyxel

Ex5401 B1 Firmware by Zyxel

Ex5501 B0 Firmware by Zyxel

Ex5510 B0 Firmware by Zyxel

Ex5512 T0 Firmware by Zyxel

Ex5601 T0 Firmware by Zyxel

Ex5601 T1 Firmware by Zyxel

Ex7501 B0 Firmware by Zyxel

Ex7710 B0 Firmware by Zyxel

Gm4100 B0 Firmware by Zyxel

Pe3301 00 Firmware by Zyxel

Pe5301 01 Firmware by Zyxel

Pm3100 T0 Firmware by Zyxel

Pm5100 T0 Firmware by Zyxel

Pm7300 T0 Firmware by Zyxel

Pm7500 00 Firmware by Zyxel

Px3321 T1 Firmware by Zyxel

Px3321 T1 Firmware by Zyxel

Px5301 T0 Firmware by Zyxel

Vmg3625 T50b Firmware by Zyxel

Vmg3927 T50k Firmware by Zyxel

Vmg4005 B50a Firmware by Zyxel

Vmg4005 B50b Firmware by Zyxel

Vmg4005 B60a Firmware by Zyxel

Vmg8623 T50b Firmware by Zyxel

Vmg8825 T50k Firmware by Zyxel

We3300 00 Firmware by Zyxel

Wx3100 T0 Firmware by Zyxel

Wx3401 B0 Firmware by Zyxel

Wx3401 B1 Firmware by Zyxel

Wx5600 T0 Firmware by Zyxel

Wx5610 B0 Firmware by Zyxel