01 · The Real Story
This is a branch-office router that lets a helpdesk badge open the cabinet holding the master keys
CVE-2021-35036 is not just "cleartext storage" in the abstract; on affected Zyxel firmware, an authenticated low-privilege session can query backend CGI/DAL handlers and receive sensitive values from login-privilege and TR-069 configuration objects. The original CVE was assigned to VMG3625-T50B firmware V5.50(ABTL.0)b2k, but Zyxel later expanded the affected scope to additional CPE, ONT, LTE, and 5G product families, with fixes including VMG3625-T50B V5.50(ABTL.0)b2r, V5.50(ABPM.7)C0, or V5.50(ACCR.0)b4 depending on branch.
The vendor's 6.5 MEDIUM is directionally fair, but only if you remember the exploit chain starts *after* the attacker already has authenticated access to the device management plane. That prerequisite is a major real-world brake in enterprise environments; however, the data exposed can include higher-privilege local credentials and remote-management secrets, so this is more serious than a routine low-impact info leak and does not deserve to be pushed down to backlog junk.
"Post-auth info leak on an edge router is real risk, but it starts after the attacker already has management access."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Get a valid low-priv management session
The attacker first needs working credentials for the Zyxel management interface and network reachability to that interface. In practice this is done with a browser,
curl, or Burp Suite after credential theft, credential reuse, insider access, or compromise of a less-privileged device user.Conditions required:
- Reachability to the router web management interface
- A valid authenticated account with at least low privileges
- Management interface is enabled on LAN, WAN, or ISP-accessible segment
Where this breaks in practice:
- Many deployments keep management on the local LAN only
- This is post-initial-access if the attacker is external and lacks foothold or creds
- Enterprises often do not give ordinary users router-management accounts
Detection/coverage: Most scanners cannot prove exploitability here without credentials; detection is mostly limited to auth logs, config-management inventory, or version-based checks.
STEP 02
Query sensitive DAL handlers with ordinary web tooling
Using the authenticated session, the attacker requests backend handlers such as
/cgi-bin/DAL?oid=login_privilege and /cgi-bin/DAL?oid=tr69. Technical reversing published after disclosure indicates these getters returned password-bearing objects instead of enforcing a stronger privilege boundary.Conditions required:
- Existing authenticated web session or equivalent cookie/token
- Firmware branch still exposing sensitive objects through DAL/CGI getters
Where this breaks in practice:
- Patched firmware closes or masks the sensitive return path
- TR-069 is not enabled by default on generic firmware, reducing one branch of exposure
- Some ISP customizations may alter endpoint behavior
Detection/coverage: Web logs may show unusual requests to DAL endpoints, but most network IDS signatures will miss this because the traffic looks like normal authenticated management use.
STEP 03
Harvest admin, FTPS, and TR-069 secrets
If the vulnerable handlers respond, the attacker extracts cleartext credentials and related management parameters from the JSON output. That turns a nominal confidentiality issue into a practical credential-harvesting event against the device control plane.
Conditions required:
- Sensitive fields are returned in responses
- Attacker can parse the returned configuration data
Where this breaks in practice:
- Some values may be irrelevant if corresponding services are disabled
- Not every leaked secret automatically gives broader network access
Detection/coverage: EDR has little value on an appliance-class router; the best evidence is unusual management-plane response volume or follow-on administrative logins.
STEP 04
Reuse elevated secrets for device control or provider-side management abuse
The attacker can then try the recovered higher-privilege local credentials against the admin interface or use leaked TR-069 material where that channel is in use. Impact ranges from full router administration to exposure of ISP-management relationships, but the blast radius usually stays anchored to the affected device or tenant.
Conditions required:
- Leaked credentials map to an enabled admin or management service
- Those services are reachable from the attacker's position
Where this breaks in practice:
- Admin plane may still be LAN-only or provider-only
- TR-069 abuse depends on deployment-specific ACS topology
- This is still a narrow, appliance-scoped follow-on action rather than instant enterprise-wide compromise
Detection/coverage: Administrative login logs, config-change auditing, and ISP CPE management telemetry are the most useful follow-on detections; generic vuln scans will not see credential reuse.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No authoritative evidence found of active exploitation, and the CVE is not listed in CISA KEV based on the catalog search results reviewed. |
|---|---|
| Public exploit / PoC status | No Metasploit or Exploit-DB weaponization found. A later technical write-up attributed to M.nageh describes reachable DAL endpoints and backend password exposure, which is enough for a competent operator to reproduce. |
| EPSS | 0.00153 from the provided intel, which is very low and fits the absence of broad opportunistic exploitation. |
| KEV status | Not KEV-listed; no CISA date-added entry located. |
| CVSS meaning | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N means remote exploitation is technically simple once authenticated, but it does not provide unauthenticated reach or direct code execution. |
| Affected versions | Original CVE scope was VMG3625-T50B V5.50(ABTL.0)b2k; Zyxel and NVD later expanded coverage to additional VMG*, EMG*, DX*, EX*, AX*, PMG*, LTE*, and NR* firmware families before their listed fixed releases. |
| Fixed versions | For the original model, Zyxel lists fixes at VMG3625-T50B V5.50(ABTL.0)b2r, V5.50(ABPM.7)C0, or V5.50(ACCR.0)b4 depending on firmware branch and regional/customized build. |
| Exposure reality | The product supports web management, config backup/restore, remote-management controls, and TR-069. That means exposure is deployment-dependent, not universally internet-reachable by default. |
| Scanning / telemetry | I did not find GreyNoise or Censys evidence tying this CVE to active scan traffic. Treat this as a targeted post-auth weakness, not an internet-wide wormable event. |
| Disclosure / reporting | Public disclosure date in the supplied intel is 2022-03-01; Zyxel's published advisory was released on 2022-09-27 and credits M.nageh. |
04 · The Call
noisgate verdict.
Final Verdict
= UNCHANGED to MEDIUM (5.4/10)
The decisive factor is the authenticated-management prerequisite: an attacker must already have router-management access before this CVE does anything. That sharply narrows the exposed population, but the leak still matters because it can hand a low-privileged user the credentials needed to control the device.
HIGH Exploit chain requires authenticated access to the management interface
MEDIUM Post-disclosure technical write-up materially increases confidence in practical credential exposure
MEDIUM Wider affected-product scope beyond the original VMG3625-T50B record
Why this verdict
- Down from vendor 6.5: the first prerequisite is authenticated router-management access, which implies prior compromise, insider access, or credential theft.
- Population narrowing: many enterprise and ISP deployments keep the management plane LAN-only or provider-restricted, so reachable targets are a subset of installed devices, not the whole internet.
- Still not low: the exposed data can include higher-privilege local account credentials and TR-069 secrets, creating a real privilege-escalation and control-plane takeover path on the appliance.
Why not higher?
This is not unauthenticated, not wormable, and not code execution. The blast radius is usually one appliance or one subscriber edge context at a time, and the low EPSS plus lack of KEV listing argue against treating it like an emergency internet-edge burn-down item.
Why not lower?
Calling this a trivial info leak would miss the practical consequence: the disclosed values can be the very secrets that separate a weak account from administrative control. Once a low-privileged session exists, exploitation is straightforward and built from normal web requests, not exotic memory corruption.
05 · Compensating Control
What to do — in priority order.
- Restrict management-plane reachability — Bind the web/SSH/Telnet management interface to trusted admin networks only, disable WAN-side management where possible, and keep provider-management paths segregated. For a
MEDIUMverdict there is no mitigation SLA — go straight to the 365-day remediation window, but this hardening should be folded into standard router baseline policy now because it removes the biggest precondition. - Cull low-priv router accounts — Remove unused local users, convert shared low-priv support accounts to named accounts where the platform supports it, and rotate any credentials that may have been exposed through config export or prior access. There is no mitigation SLA for
MEDIUM, but do this during your normal access-hygiene cycle while tracking patching inside the 365-day remediation window. - Turn off unused remote-management services — Disable TR-069, FTPS, Telnet, or other management features that are not operationally required, because this CVE's value comes from exposing management secrets tied to those services. With
MEDIUM, treat this as baseline risk reduction rather than emergency containment. - Monitor administrative logins and config reads — Alert on unusual logins to the CPE management plane, repeated access to DAL/CGI paths, and sudden follow-on admin actions after low-priv sessions. This will not prevent exploitation, but it is one of the few realistic detective controls on appliance-class hardware.
What doesn't work
- A perimeter IPS alone does not solve this, because the dangerous requests look like ordinary authenticated management traffic.
- Endpoint EDR does not meaningfully cover consumer/ISP CPE appliances, so do not assume your workstation telemetry will catch router-side abuse.
- Masking passwords in the UI is not sufficient if backend getters still return raw values; this issue is about access control on the management API, not cosmetic display.
06 · Verification
Crowdsourced verification payload.
Run this on an auditor workstation or config-management runner, not on the router itself. Invoke it with bash check-cve-2021-35036.sh <MODEL> <FIRMWARE_VERSION> — for example bash check-cve-2021-35036.sh VMG3625-T50B 'V5.50(ABTL.0)b2k'; it needs no special privileges because it performs an offline version assessment against the vendor's published fixed builds.
#!/usr/bin/env bash
# check-cve-2021-35036.sh
# Offline version triage for CVE-2021-35036
# Usage: bash check-cve-2021-35036.sh <MODEL> <FIRMWARE_VERSION>
# Example: bash check-cve-2021-35036.sh VMG3625-T50B 'V5.50(ABTL.0)b2k'
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage error
set -u
if [ "$#" -ne 2 ]; then
echo "UNKNOWN - usage: $0 <MODEL> <FIRMWARE_VERSION>"
exit 3
fi
MODEL_RAW="$1"
VER_RAW="$2"
MODEL="$(printf '%s' "$MODEL_RAW" | tr '[:lower:]' '[:upper:]')"
VER="$(printf '%s' "$VER_RAW" | tr -d '[:space:]')"
# Known fixed versions from Zyxel advisory for affected families.
# This script intentionally stays conservative:
# - exact known vulnerable version for the original CVE -> VULNERABLE
# - exact published fixed versions -> PATCHED
# - everything else -> UNKNOWN (manual review required)
case "$MODEL" in
"VMG3625-T50B")
case "$VER" in
"V5.50(ABTL.0)B2K"|"V5.50(ABTL.0)b2k")
echo "VULNERABLE"
exit 1
;;
"V5.50(ABTL.0)B2R"|"V5.50(ABTL.0)b2r"|"V5.50(ABPM.7)C0"|"V5.50(ACCR.0)B4"|"V5.50(ACCR.0)b4"|"V5.50(ABPM.9.2)C0")
echo "PATCHED"
exit 0
;;
*)
echo "UNKNOWN"
exit 2
;;
esac
;;
"VMG3927-T50K")
[ "$VER" = "V5.50(ABOM.8)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"VMG8623-T50B"|"EMG3525-T50B"|"EMG5523-T50B")
[ "$VER" = "V5.50(ABPM.7)C0" ] && { echo "PATCHED"; exit 0; }
[ "$VER" = "V5.50(ABPM.9.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"EMG5723-T50K"|"VMG8825-T50K")
[ "$VER" = "V5.50(ABOM.8)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"DX3301-T0")
[ "$VER" = "V5.50(ABVY.3)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"DX5401-B0"|"EX5401-B0")
[ "$VER" = "V5.17(ABYO.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"EX5501-B0")
[ "$VER" = "V5.17(ABRY.3)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"AX7501-B0"|"AX7501-B SERIES"|"AX7501-B")
[ "$VER" = "V5.17(ABPC.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"EP240P")
[ "$VER" = "V5.40(ABVH.0)C0A03" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"PMG5617GA")
[ "$VER" = "V5.40(ABNA.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"PMG5622GA")
[ "$VER" = "V5.40(ABNB.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"PMG5317-T20B")
[ "$VER" = "V5.40(ABKI.4)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"PMG5617-T20B2")
[ "$VER" = "V5.41(ACBB.1)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"PM7300-T0")
[ "$VER" = "V5.42(ACBC.1)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE3301-PLUS")
[ "$VER" = "V1.00(ABQU.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE5388-M804")
[ "$VER" = "V1.00(ABSQ.4)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE5388-S905")
[ "$VER" = "V1.00(ABVI.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE5398-M904")
[ "$VER" = "V1.00(ABQV.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE7240-M403")
[ "$VER" = "V2.00(ABMG.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE7461-M602")
[ "$VER" = "V2.00(ABQN.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE7480-S905")
[ "$VER" = "V2.00(ABQT.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE7480-M804")
[ "$VER" = "V1.00(ABRA.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE7485-S905")
[ "$VER" = "V1.00(ABVN.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"LTE7490-M804")
[ "$VER" = "V1.00(ABQY.5)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"NR5101")
[ "$VER" = "V1.00(ABVC.6)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"NR7101")
[ "$VER" = "V1.00(ABUV.7)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
"NR7102")
[ "$VER" = "V1.00(ABYD.2)C0" ] && { echo "PATCHED"; exit 0; }
echo "UNKNOWN"
exit 2
;;
*)
echo "UNKNOWN"
exit 2
;;
esac
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, do not treat this like an internet-fire emergency unless you have evidence your router-management plane is broadly reachable or low-priv router accounts are common in your environment. Because the reassessed verdict is
MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window: use that period to patch affected Zyxel fleets to the vendor-fixed firmware, and in parallel tighten management exposure and retire unnecessary low-priv accounts as standard hardening. If these devices sit in branch or ISP-edge roles, inventory them now and complete actual firmware updates inside the noisgate remediation SLA of ≤ 365 days.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.