MEDIUM 6.5

CVE-2026-3871: Zyxel VMG4005-B50B UPnP Buffer Overflow DoS Vulnerability

Zyxel VMG4005-B50B gateway devices running firmware version 5.13(ABRL.5.4)C0 and earlier contain a buffer overflow flaw in the UPnP DeletePortMapping command. An attacker on the same local network can exploit this to crash the UPnP service, temporarily disabling port mapping features. The vulnerability requires network adjacency and does not enable data theft or system compromise, but does degrade device functionality.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

A buffer overflow vulnerability in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-3871 is a classic buffer overflow (CWE-120) in the UPnP DeletePortMapping() command handler of the Zyxel VMG4005-B50B residential gateway. The vulnerable code does not properly validate the length of input parameters before writing to a stack or heap buffer, allowing an adjacent network attacker to send a crafted UPnP SOAP request with an oversized payload. This triggers a memory corruption event that crashes the UPnP daemon process. The CVSS 3.1 score of 6.5 (MEDIUM) reflects the attack's requirement for local network access and its limitation to denial-of-service impact.

Business impact

For users relying on the VMG4005-B50B for UPnP-dependent port forwarding (common in gaming, remote access, and IoT scenarios), exploitation results in service unavailability until manual device restart. In managed environments, this can cascade to dependent applications. The vulnerability does not exfiltrate data or grant code execution, limiting scope to availability. However, repeated DoS could increase operational overhead and support costs in organizations managing multiple units.

Affected systems

Zyxel VMG4005-B50B residential gateways with firmware through version 5.13(ABRL.5.4)C0 are affected. This model is a DSL/IP access device commonly deployed by ISPs and in small office/home office networks. Confirm your device firmware version via the management web interface (typically 192.168.1.1 or 192.168.0.1). The vulnerability is not known to affect other VMG series models at this time; verify your specific model against Zyxel advisories.

Exploitability

Exploitation is moderately straightforward for an attacker already on the local network (adjacent network requirement per CVSS). No authentication is required to send UPnP commands, and standard UPnP client libraries can craft the malicious DeletePortMapping request. However, the attacker must be within Layer 2 broadcast domain or have routed access to the UPnP service port (typically UDP 1900 or TCP 49152+), limiting the attack surface to local networks, ISP networks, or compromised internal systems. Exploitation does not require user interaction or special privileges.

Remediation

Zyxel has released firmware patches to address this buffer overflow. Affected organizations should upgrade the VMG4005-B50B to the latest available firmware version, which will be documented in the official Zyxel security advisory. Interim mitigations include disabling UPnP if port mapping is not required, restricting UPnP access via firewall rules to trusted internal subnets, or isolating the device to a guest or IoT network with egress controls. Verify patch availability directly from Zyxel's support portal.

Patch guidance

Obtain the patched firmware from Zyxel's official support website or through your ISP if they manage device updates. Firmware updates for this device are typically applied via the web management console (System > Firmware Upgrade) or through automated push mechanisms. Back up configuration before updating. Test in a non-production unit first if possible. Zyxel advisories will specify minimum recommended versions; apply the latest stable release to ensure all security fixes are included. Verify successful upgrade by checking the firmware version in the device management interface post-update.

Detection guidance

Monitor for abnormal UPnP traffic patterns: watch for repeated DeletePortMapping requests with malformed or oversized parameters targeting port 1900 (UDP) or UPnP device control ports. Intrusion detection systems can detect suspicious UPnP SOAP payloads. On affected devices, log sudden UPnP daemon crashes (check system logs via telnet or SSH if available). Network-based detection should focus on local network segments; this vulnerability does not travel across the internet. Review gateway syslog for repeated UPnP process restarts correlating with suspicious local client activity.

Why prioritize this

Despite a MEDIUM CVSS score, prioritization should be context-dependent. In networks where UPnP is actively used for legitimate services (gaming, remote access, IoT device management), immediate patching is warranted to prevent business disruption. In networks with UPnP disabled or restricted, risk is lower but should still be addressed in routine maintenance windows. The vulnerability does not enable lateral movement or data exfiltration, reducing urgency compared to remote code execution flaws, but the ease of exploitation by any local network user justifies deliberate scheduling rather than deferral.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) Attack Vector = Adjacent (AV:A), limiting exposure to local networks; (2) Attack Complexity = Low (AC:L), indicating straightforward exploitation once access is achieved; (3) Privileges Required = None (PR:N); (4) User Interaction = None (UI:N); (5) Scope = Unchanged (S:U); (6) Confidentiality = None (C:N), Integrity = None (I:N), Availability = High (A:H), confirming the DoS impact. The score does not account for business context (e.g., criticality of port forwarding to your operations) or environmental mitigations (e.g., network segmentation), which may justify higher or lower internal risk ratings.

Frequently asked questions

Does this vulnerability allow remote attackers to compromise the device?

No. The vulnerability is limited to adjacent (local network) attackers and causes only a temporary denial-of-service affecting the UPnP function. It does not enable remote code execution, authentication bypass, or data exfiltration. An attacker cannot gain shell access or reconfigure the device.

If UPnP is not used, am I still at risk?

If UPnP is explicitly disabled in the device settings, the DeletePortMapping command handler is unlikely to be active, reducing risk. However, best practice is to upgrade the firmware anyway to ensure all security components are current. Verify UPnP is disabled via the management interface.

How often do I need to restart the device after an attack?

A successful exploitation triggers a crash of the UPnP daemon process. The device itself typically remains online, but UPnP port mapping functionality ceases until the daemon restarts (usually automatic within seconds to minutes, depending on device watchdog configuration) or the device is manually rebooted. Repeated attacks within a short window could cause sustained disruption.

Are there alternatives to patching if firmware upgrades are not immediately available?

Interim mitigations include: (1) disabling UPnP in the web management console if port forwarding is not required; (2) restricting UPnP access via firewall rules to only trusted internal devices; (3) isolating the device to a separate network segment with access controls; (4) contacting Zyxel support for emergency patch availability. These measures reduce exploitability but do not eliminate the underlying flaw.

This analysis is provided for informational purposes and is current as of the publication date. Exploit code, proof-of-concept details, and weaponized attack scenarios are not included. Readers should verify all patch version numbers, availability dates, and affected product ranges directly against Zyxel's official security advisories before deploying mitigations. Your organization's security team should assess risk within your specific network environment, considering factors such as network segmentation, UPnP usage, and business criticality not captured in CVSS scoring. SEC.co makes no warranty as to the accuracy, completeness, or suitability of this information for your use. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).