Zyxel GS1900 Switch Takeover Flaw CVE-2026-7273: Patch 10 Models Now
Zyxel's GS1900 office network switches — 10 models — have a flaw, CVE-2026-7273, that lets anyone on the same local network take the device over without a password, enabling traffic spying or cut-offs. Here are the affected models, the fixed firmware, and the update steps to run now.
Makoto Horikawa
Backend Engineer / AWS / Django
Zyxel's GS1900 office network switches — 10 models — have a flaw, CVE-2026-7273, that lets anyone on the same local network take the device over without a password, enabling traffic spying or cut-offs. Here are the affected models, the fixed firmware, and the update steps to run now.
A serious flaw has been found in Zyxel's "GS1900" series, the business network switches that tie together the PCs, printers, and security cameras in offices, shops, and schools. It is tracked as CVE-2026-7273. Anyone on the same local network can take the device over by sending a single crafted request, without holding any login password at all.
Zyxel published its security advisory on June 16, 2026, and released fixed firmware (the software that runs the device) for all 10 affected models. The severity is rated a high 8.8 out of 10. A compromised switch can let an attacker spy on internal traffic or cut it off entirely, so if you run an affected model, update soon.
✓ What we know so far
- ✓The affected products are 10 models in Zyxel's GS1900 business switch series (from GS1900-8 through GS1900-48HPv2 / Zyxel official)
- ✓The flaw type is a memory buffer that overflows and causes the program to misbehave (CWE-121, stack-based buffer overflow), living in the program that handles the device's management screen
- ✓No login is needed to exploit it. However, the attack is limited to the same LAN (local network) — it is not something anyone can do over the open internet. Severity is 8.8 out of 10 (NVD)
- ✓Fixed firmware is available for every model. As of now, there is no official report of the flaw being exploited in real attacks
What the Zyxel GS1900 actually is
A switch is a device that connects PCs, printers, IP phones, security cameras, and wireless access points with LAN cables and directs the traffic between them. With more ports than a home router, switches are widely used as "the foundation of the internal network" in small-business offices, shops, schools, and clinics. Zyxel is a Taiwan-based network-equipment maker, and the GS1900 series is a popular line of "smart switches" designed to be manageable even without a dedicated IT administrator.
The GS1900 ships with a browser-based web management screen, and this is exactly where the flaw lives — in the program (CGI) that drives that screen. The problem is that no login is required: the handling of a screen that should only be reachable by an administrator can be entered starting from a request sent before logging in. That means anyone on the same network can reach inside the device without knowing the ID or password. Note that only the 10 models in the table below are affected; Zyxel states that its other products are out of scope this time.
Someone on your LAN becomes the switch's owner without a key
"The switch gets taken over" may sound distant compared with losing a server or a PC. But a switch is the spot every piece of internal traffic must pass through. Controlling it means getting your hands on the company's communications themselves — and this flaw makes that happen without a password.
The people who come for this hole are not only elite hackers in a faraway country. They are the visitor or contractor who quietly plugs into a spare port at reception or a meeting-room LAN, the attacker who phished a staff member's PC and used that machine as a stepping stone into the network, a loaned laptop infected with malware and remotely controlled, and the disgruntled employee on the way out. What they want is not the "switch" as a box, but what flows through it: the emails and quotes exchanged inside the company, the IDs and passwords used to log into business systems, the boundary where guest and internal traffic mix, and a foothold for breaking into other devices. The moment CVE-2026-7273 is exploited, this switch falls under the attacker's control, and every bit of traffic crossing it lands in the palm of their hand.
Technically, the attacker starts with reconnaissance to build a foothold somewhere on the internal network, because this flaw does not reach over the internet — it requires being on the same LAN (an adjacent-network attack). Yet that requirement is a lower wall than it sounds. The instant one employee opens a phishing attachment, the attacker is standing inside the LAN. From there, sending a single crafted request to the switch makes the device run commands that only an administrator should be able to execute (OS command execution), handing over control. Once the switch is theirs, they can quietly mirror traffic to another device to read it, shut specific endpoints out of the network, or use it as a base to attack other internal devices one after another.
The 8.8 severity is only a measure of technical seriousness. What a small company or shop actually loses is the point-of-sale and ordering traffic that stops the business when it goes down, the information exchanged with customers and suppliers, and the lingering unease — even after recovery — of knowing that the foundation of the network was in someone else's hands. The very sites that cannot afford a dedicated IT person are the least likely to notice a switch being quietly taken over, so the damage drags on.
CVE-2026-7273: overflowing the management-screen program to run commands
According to Zyxel's advisory and the NVD entry, CVE-2026-7273 is a stack-based buffer overflow (CWE-121) in the program (CGI) that handles the GS1900's web management screen. This is the classic flaw where a program's temporary holding area (a buffer) is fed more data than it expects, overflows, and overwrites neighboring memory to cause a malfunction. If the attacker slips their own instructions into the overflow, they can make the device execute arbitrary commands (OS commands).
The technical rating (CVSS vector) is AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, scoring 8.8. In plain terms, "from within the same LAN (adjacent network, AV:A), under simple conditions (AC:L), with no login (PR:N) and no user interaction (UI:N), an attacker can cause all of information theft (C:H), tampering (I:H), and device shutdown (A:H)." The key detail is the leading AV:A: the attack requires being on the same LAN, not reaching over the internet. Conversely, once a foothold exists inside the network, it works with no login credentials whatsoever.
The 10 affected models and their fixed firmware
The following 10 models are affected. Check your firmware version in the device's web management screen and update to the fixed release or later. The model number is also printed on the label on the side or bottom of the unit.
| Model | Affected version | Fixed release (apply now) |
|---|---|---|
| GS1900-8 | 2.90(AAHH.1)C0 and earlier | 2.90(AAHH.2)C0 |
| GS1900-8HP | 2.90(AAHI.1)C0 and earlier | 2.90(AAHI.2)C0 |
| GS1900-10HP | 2.90(AAZI.1)C0 and earlier | 2.90(AAZI.2)C0 |
| GS1900-16 | 2.90(AAHJ.1)C0 and earlier | 2.90(AAHJ.2)C0 |
| GS1900-24 | 2.90(AAHL.1)C0 and earlier | 2.90(AAHL.2)C0 |
| GS1900-24E | 2.90(AAHK.1)C0 and earlier | 2.90(AAHK.2)C0 |
| GS1900-24EP | 2.90(ABTO.1)C0 and earlier | 2.90(ABTO.2)C0 |
| GS1900-24HPv2 | 2.90(ABTP.1)C0 and earlier | 2.90(ABTP.2)C0 |
| GS1900-48 | 2.90(AAHN.1)C0 and earlier | 2.90(AAHN.2)C0 |
| GS1900-48HPv2 | 2.90(ABTQ.1)C0 and earlier | 2.90(ABTQ.2)C0 |
Note that the NVD entry lists "GS1900-48HPv2" as the representative model, but Zyxel's official advisory names all 10 models above as affected. Be sure to check whether your unit is on the list by both model number and firmware version.
What to do right now
The top priority is updating to the fixed firmware. Get the release for your model from Zyxel's download page and apply it from the web management screen. Because this flaw assumes an attacker already on the same LAN, a useful stopgap when you cannot update immediately is to restrict who can reach the switch's web management screen to a trusted administrator's device only. In practice, separate the management network (VLAN) from business and guest traffic so unknown devices cannot reach the management screen.
It is also worth revisiting the basics that prevent a foothold from forming inside: block spare LAN ports that visitors or contractors can freely plug into, separate internal and guest Wi-Fi, and audit the access rights of departed staff and outsourcing partners. These steps strengthen the whole internal network, not just this one flaw.
You can track the latest status of vulnerabilities under active attack on our CISA KEV dashboard (Japanese). CVE-2026-7273 is not currently listed in KEV (the U.S. CISA list of vulnerabilities confirmed to be under active attack), but network-device flaws are often exploited after disclosure, so it is safer to act without waiting for a listing.
The network's foundation keeps getting targeted
Flaws targeting "the foundation of the internal network" — switches, routers, VPNs — keep piling up. On this site we have covered the actively exploited flaw in Cisco Catalyst SD-WAN Manager (CVE-2026-20262), which centrally manages a company's network; the Ivanti Sentry case (CVE-2026-10520 and others), where the management platform for employee phones fell without a password; and the Netty flaw (CVE-2026-45674 and others) that can lead to traffic spoofing.
These foundational devices are easy to deprioritize precisely because no one thinks about them day to day. But to an attacker, holding just one of them reaches all the traffic beneath it — an efficient target. Especially at small and mid-sized sites with no dedicated IT staff, it is not unusual for a switch's firmware to have gone un-updated for years. Let CVE-2026-7273 be the prompt to take stock of the model numbers and versions of the business network gear on your premises.