MEDIUM 6.5

CVE-2026-3870: Zyxel VMG4005-B50B UPnP Buffer Overflow Denial-of-Service

Zyxel VMG4005-B50B routers with firmware up to version 5.13(ABRL.5.4)C0 contain a buffer overflow flaw in their UPnP port-mapping feature. An attacker on the same local network can exploit this to crash the UPnP service temporarily, preventing legitimate port-forwarding operations until the service recovers or the device is rebooted.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A buffer overflow vulnerability in the UPnP AddPortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-3870 is a classic stack or heap buffer overflow (CWE-120) triggered via malformed input to the AddPortMapping() UPnP command. The vulnerability resides in the UPnP daemon's request parsing logic. Because the vector is AV:A (adjacent network), the attacker must be on the local network segment or have access to the device's UPnP multicast/unicast interfaces. The flaw causes memory corruption leading to a denial-of-service condition rather than arbitrary code execution, as reflected in the CVSS score emphasizing availability impact (A:H) with no confidentiality or integrity breach.

Business impact

UPnP denial-of-service affects network services that depend on dynamic port mapping, including gaming consoles, IoT devices, and P2P applications. Organizations relying on these routers in office or remote-work settings may experience temporary disruption of services that use UPnP for NAT traversal. The impact is localized to the device itself and does not propagate across the broader network, but repeated attacks could degrade user experience and increase support overhead.

Affected systems

Zyxel VMG4005-B50B routers running firmware version 5.13(ABRL.5.4)C0 and earlier are vulnerable. This model is typically deployed in small office and home office (SOHO) environments and consumer broadband installations. Organizations should verify their deployed firmware versions against the vendor's advisory to determine exposure.

Exploitability

Exploitability is straightforward for an attacker with local network access. The attack requires no authentication, no user interaction, and minimal complexity—characteristics reflected in the CVSS metrics (PR:N/UI:N/AC:L). However, the adjacent network requirement (AV:A) significantly limits the threat surface compared to remotely exploitable flaws. An insider, guest on the same LAN, or compromised internal device could trigger this vulnerability. Public exploit code is not widely documented, but the attack surface is well-understood by network-adjacent adversaries.

Remediation

Zyxel has released patched firmware to address this issue. Organizations should apply the latest available firmware version for the VMG4005-B50B model as recommended by Zyxel's security advisory. Firmware updates are typically deployed via the device's management interface or automatic update mechanism. Until patching is complete, network segmentation to restrict UPnP traffic to trusted devices and disabling UPnP if not required can mitigate risk.

Patch guidance

Check Zyxel's official support portal for the latest firmware release for VMG4005-B50B models. Firmware versions after 5.13(ABRL.5.4)C0 should contain the fix; verify the exact version number in the vendor advisory. Test patches in a lab or non-production environment before broad deployment to ensure compatibility with existing configurations. Most Zyxel devices support automated firmware updates; enable this feature if your organization's security policies permit.

Detection guidance

Monitor UPnP service logs on affected routers for abnormal crashes or restarts of the UPnP daemon correlating with suspicious network traffic. Intrusion detection systems can flag malformed UPnP AddPortMapping() commands with oversized or invalid parameters. Network behavior analytics may detect rapid or repeated UPnP requests followed by service unavailability. Review router access logs for unauthorized local network connections or unusual UPnP activity. Consider enabling verbose logging on UPnP services during the remediation window.

Why prioritize this

This vulnerability merits prompt but measured attention. The CVSS score of 6.5 (MEDIUM) reflects limited exploitability (adjacent access only) but a clear availability impact on a commonly deployed consumer router. The lack of KEV listing suggests active exploitation is not yet tracked by CISA. However, organizations with significant UPnP-dependent workloads or those with permissive guest network policies should prioritize patching to minimize service disruption. The fix is straightforward and low-risk, making it a good candidate for near-term deployment cycles.

Risk score, explained

The CVSS 3.1 score of 6.5 balances several factors: (1) The attack is network-adjacent only, not internet-facing, limiting the attacker pool substantially. (2) No authentication or user action is required, making exploitation trivial once local access is achieved. (3) Impact is denial-of-service to a non-critical network service on a router, not the entire device or infrastructure. (4) No data confidentiality or integrity compromise occurs. The score reflects a real but bounded risk—significant enough to patch, insufficient to declare a critical security emergency.

Frequently asked questions

Can this vulnerability be exploited remotely over the internet?

No. The CVSS vector specifies AV:A (adjacent network), meaning the attacker must be on the same local network segment as the router. Remote internet-based exploitation is not possible. However, compromised devices already on the internal network pose a risk.

Does this vulnerability allow an attacker to compromise other devices on my network?

No. The vulnerability causes only a temporary denial-of-service to the UPnP function on the affected router. It does not grant access to other network resources, user data, or systems. The impact is isolated to the router's UPnP service availability.

What is the difference between a buffer overflow and other memory corruption flaws?

A buffer overflow (CWE-120) occurs when data is written beyond the allocated boundary of a memory buffer. While classic buffer overflows can enable arbitrary code execution, this particular instance results in a crash rather than code execution—a safer-but-still-disruptive failure mode.

Should I disable UPnP on my router if I cannot patch immediately?

If UPnP is not actively used by devices on your network, disabling it is a reasonable interim mitigation. However, if applications like gaming consoles or media servers require it, weigh the convenience against the DoS risk. Network segmentation to isolate UPnP traffic to trusted devices is a less disruptive alternative.

This analysis is based on CVE-2026-3870 as published and available information as of the modification date. Vulnerability details and patch availability may evolve; always consult Zyxel's official security advisories for the most current firmware versions and remediation steps. This document does not constitute a guarantee of protection and should be used as part of a comprehensive vulnerability management program. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).