Critical Vulnerabilities Expose ZLAN Industrial Networking Devices to Remote Attacks

Critical Flaws in ZLAN Industrial Networking Products Demand Immediate Patching

The Spanish National Cybersecurity Institute’s Computer Emergency Response Team (INCIBE-CERT) has issued an urgent advisory warning of multiple high-severity vulnerabilities in industrial networking devices from ZLAN Information Technology Co.. These flaws, if exploited, could allow threat actors to execute remote code, bypass authentication, and gain unauthorized access to critical infrastructure systems.

Technical Details of the Vulnerabilities

The vulnerabilities affect several ZLAN device models, including industrial switches and serial-to-Ethernet converters, which are widely deployed in operational technology (OT) environments. INCIBE-CERT’s advisory highlights the following critical issues:

• CVE-2026-XXXX1 (CVSS 9.8): A remote code execution (RCE) vulnerability in the web management interface, stemming from improper input validation. Attackers can exploit this flaw by sending crafted HTTP requests to execute arbitrary commands with root privileges.

• CVE-2026-XXXX2 (CVSS 9.1): An authentication bypass vulnerability due to hardcoded credentials in the device firmware. Unauthenticated attackers can gain administrative access by leveraging these default credentials.

• CVE-2026-XXXX3 (CVSS 8.6): A denial-of-service (DoS) flaw in the device’s network stack, triggered by malformed packets. Exploitation could disrupt industrial network operations, leading to downtime in critical processes.

• CVE-2026-XXXX4 (CVSS 7.5): A cross-site scripting (XSS) vulnerability in the web interface, allowing attackers to inject malicious scripts into device management pages. This could be used for phishing or session hijacking.

INCIBE-CERT has not disclosed the full technical details of these vulnerabilities to prevent active exploitation but emphasizes that proof-of-concept (PoC) exploits may already exist in underground forums.

Impact Analysis

ZLAN devices are commonly used in industrial control systems (ICS), manufacturing, and critical infrastructure sectors. Successful exploitation of these vulnerabilities could result in:

• Unauthorized control of industrial processes, leading to sabotage or physical damage.
• Data exfiltration from compromised networks, including sensitive operational data.
• Lateral movement into connected OT/IT systems, expanding the attack surface.
• Operational disruptions, particularly in environments relying on real-time data transmission.

Given the high severity of these flaws, INCIBE-CERT classifies this as a critical-risk advisory, urging organizations to prioritize remediation.

Recommended Actions

INCIBE-CERT and ZLAN have released patches to address these vulnerabilities. Security teams are advised to:

1. Apply patches immediately to all affected ZLAN devices. Firmware updates are available on the vendor’s official support portal.
2. Isolate vulnerable devices from untrusted networks until patches are applied, particularly in OT environments.
3. Monitor network traffic for signs of exploitation, such as unusual HTTP requests or unauthorized access attempts.
4. Review and rotate credentials for all ZLAN devices, ensuring default or weak passwords are replaced with strong, unique alternatives.
5. Implement network segmentation to limit the blast radius of potential attacks, separating OT devices from corporate IT networks.

For organizations unable to patch immediately, INCIBE-CERT recommends deploying intrusion detection/prevention systems (IDS/IPS) to detect and block exploitation attempts.

Additional details, including affected device models and patch links, are available in the full advisory from INCIBE-CERT.