cR0w
Zyxel security advisory for buffer overflow vulnerabilities in the UPnP function of certain 4G LTE/5G NR CPE and DSL/Ethernet CPE | Zyxel Networks
CVEs: CVE-2026-3870, CVE-2026-3871 Summary Zyxel has released patches for specific firmware versions of certain 4G LTE/5G NR CPE and DSL/Ethernet CPE devices to address buffer overflow vulnerabilities. Users are strongly advised to install these patches to ensure optimal protection. What are the vulnerabilities? CVE-2026-3870 A buffer overflow vulnerability in the UPnP AddPortMapping() command in certain DSL/Ethernet CPE firmware versions could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device. It is important to note that this vulnerability can only be exploited within a LAN/WLAN environment, and the device will continue to function as expected when processing network traffic, even if the attack is successful. CVE-2026-3871 A buffer overflow vulnerability in the UPnP DeletePortMapping() command in certain 4G LTE/5G NR CPE and DSL/Ethernet CPE firmware versions could allow an adjacent attacker to trigger a temporary DoS condition affecting the UPnP function of the affected device. It is important to note that this vulnerability can only be exploited within a LAN/WLAN environment, and the device will continue to function as expected when processing network traffic, even if the attack is successful. What versions are vulnerableβand what should you do? After a thorough investigation, we identified the vulnerable products within their vulnerability support period and released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any product currently on the market that is not listed in the tables is not affected. Table 1. Models affected by CVE-2026-3870 Product Affected model Affected version Patch availability* DSL/Ethernet CPE VMG4005-B50B 5.13(ABRL.5.4)C0 and earlier 5.13(ABRL.5.5)C0 * Please contact your Zyxel sales representative or support team to obtain the file. Table 2. Models affected by CVE-2026-3871 Product Affected model Affected version Patch availability* 4G LTE/5G NR CPE NR7101 1.00(ABUV.11)C0 and earlier 1.00(ABUV.12)B4 Nebula LTE3301-PLUS 1.18(ACCA.6)C0 and earlier 1.18(ACCA.8)V0 Nebula NR7101 1.16(ACCC.1)C0 and earlier 1.16(ACCC.3)V0 DSL/Ethernet CPE VMG4005-B50B 5.13(ABRL.5.4)C0 and earlier 5.13(ABRL.5.5)C0 * Please contact your Zyxel sales representative or support team to obtain the file. For ISPs, please contact your Zyxel sales or service representatives for further details. For end-users who acquired their Zyxel device from an ISP, we recommend reaching out directly to the ISP's support team, as the device may have custom-built settings. For end-users who purchased their Zyxel device themselves, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance. Got a question? Please contact your local service rep or visit Zyxel's Community for further information or assistance. Acknowledgment Thanks to McCaulay Hudson from watchTowr for reporting the issues to us. Revision history 2026-6-2: Initial release
KanceptWhy the FUCK do I *need* to or even /want/ to connect my dryer to the Internet. Why does it need "AI"?
Dry my fucking clothes. You have ONE job. You don't need to tell anyone it's happening. You don't need to check that you are authorized to do so. There are no optimizations you need to check for. I push the button, you spin my clothes and blow hot air through them.
ilias π΄ββ οΈππso far in 007 First Light:
- Bond makes a reference to the internet of shit with "my toaster has a tracker";
- the antagonist is a founder of AI company whose AI tech is used to predict terrorist threats but actually makes serious mistakes;
- and the antagonist fixes those mistakes by sending a squad of soldiers to reframe the narrative so that AI supposedly was right;
- gameplay is a merge of Hitman & Uncharted
you know, I think this is potentially a GOTY candidate
https://www.kr3bz.wtf/posts/sdmc-ne6037-router-recovery-backdoor/
During December 2025, I had to temporarily move to a different apartment due to renovations in my own. I spent most of the winter looking for potential targets to research and chose Windows Server Update Services (found a lame DoS, maybe Iβll post about it) as it was affected by some RCE vulnerabilities in 2025 and is a juicy target.
While I was preparing the lab environment, I noticed some Internet connectivity issues. I thought that it was the usual DHCP renewal every 24 hours enforced by the ISP, but then I realized that actually my wireless NIC was reconnecting to the router. OK, maybe some maintenance by the ISP? But the same dang thing started to happen more often, and I was getting irritated. So, how to fix this? Well, letβs pwn the device!
and
By promising to remove the backdoor and assign per-device passwords, SDMC implicitly admitted both that it exists and that every device currently ships with the same hardcoded root credentials even on latest firmware versions.
Kilroy_Was_HereComputer stuff needs to get more expensive. A lot more expensive. The fact that it's cheap causes silly things to be done with it.
Computers should not be in TIRES!
TIRES should not connect to the internet!
TIRES should not connect to OTHER CARS!
https://www.youtube.com/watch?v=IVH-Bq7HBfE
#cars #tires #toomuchtechnology #screwcomputers #internetofshit #somebodyelsescomputer #duhcloud #ewaste #autos #automotive
Coming Soon: Your Tires Uploading Your Driving Data to The Cloud
apparently Samsung considers its users as stupid enough to integrate AI into the fridge so it would... recognise food π
#InternetOfThings #InternetOfShit #IoT #Gemini #Tech #Technology #AI #ArtificialIntelligence #Samsung
