8.8

CVE-2022-43390

A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.

Data is provided by the National Vulnerability Database (NVD)
ZyxelLte7480-m804 Firmware Version < 1.00\(abra.6\)c0
   ZyxelLte7480-m804 Version-
ZyxelLte7490-m904 Firmware Version < 1.00\(abqy.5\)c0
   ZyxelLte7490-m904 Version-
ZyxelNebula Nr5101 Firmware Version < 1.15\(accg.3\)c0
   ZyxelNebula Nr5101 Version-
ZyxelNebula Nr7101 Firmware Version < 1.15\(accc.3\)c0
   ZyxelNebula Nr7101 Version-
ZyxelNr5101 Firmware Version < 1.00\(abvc.6\)c0
   ZyxelNr5101 Version-
ZyxelNr7101 Firmware Version < 1.00\(abuv.7\)c0
   ZyxelNr7101 Version-
ZyxelNr7102 Firmware Version < 1.00\(abyd.2\)c0
   ZyxelNr7102 Version-
ZyxelDx3301-t0 Firmware Version-
   ZyxelDx3301-t0 Version-
ZyxelDx4510-b1 Firmware Version-
   ZyxelDx4510-b1 Version-
ZyxelDx5401-b0 Firmware Version-
   ZyxelDx5401-b0 Version-
ZyxelEmg3525-t50b Firmware Version-
   ZyxelEmg3525-t50b Version-
ZyxelEmg5523-t50b Firmware Version-
   ZyxelEmg5523-t50b Version-
ZyxelEmg5723-t50k Firmware Version-
   ZyxelEmg5723-t50k Version-
ZyxelEx3301-t0 Firmware Version-
   ZyxelEx3301-t0 Version-
ZyxelEx3510-b0 Firmware Version < 5.17\(abup.7\)c0
   ZyxelEx3510-b0 Version-
ZyxelEx5401-b0 Firmware Version-
   ZyxelEx5401-b0 Version-
ZyxelEx5501-b0 Firmware Version-
   ZyxelEx5501-b0 Version-
ZyxelEx5510-b0 Firmware Version < 5.17\(abqx.7\)c0
   ZyxelEx5510-b0 Version-
ZyxelEx5512-t0 Firmware Version-
   ZyxelEx5512-t0 Version-
ZyxelEx5600-t1 Firmware Version-
   ZyxelEx5600-t1 Version-
ZyxelEx5601-t0 Firmware Version-
   ZyxelEx5601-t0 Version-
ZyxelEx5601-t1 Firmware Version-
   ZyxelEx5601-t1 Version-
ZyxelVmg3927-t50k Firmware Version-
   ZyxelVmg3927-t50k Version-
ZyxelVmg4005-b50a Firmware Version-
   ZyxelVmg4005-b50a Version-
ZyxelVmg4005-b60a Firmware Version-
   ZyxelVmg4005-b60a Version-
ZyxelVmg8623-t50b Firmware Version-
   ZyxelVmg8623-t50b Version-
ZyxelVmg8825-t50k Firmware Version-
   ZyxelVmg8825-t50k Version-
ZyxelAx7501-b0 Firmware Version-
   ZyxelAx7501-b0 Version-
ZyxelPm3100-t0 Firmware Version-
   ZyxelPm3100-t0 Version-
ZyxelPm5100-t0 Firmware Version-
   ZyxelPm5100-t0 Version-
ZyxelPm7300-t0 Firmware Version-
   ZyxelPm7300-t0 Version-
ZyxelPm7320-b0 Firmware Version-
   ZyxelPm7320-b0 Version-
ZyxelPmg5317-t20b Firmware Version-
   ZyxelPmg5317-t20b Version-
ZyxelPmg5617-t20b2 Firmware Version-
   ZyxelPmg5617-t20b2 Version-
ZyxelPmg5617ga Firmware Version-
   ZyxelPmg5617ga Version-
ZyxelPmg5622ga Firmware Version-
   ZyxelPmg5622ga Version-
ZyxelWx3100-t0 Firmware Version-
   ZyxelWx3100-t0 Version-
ZyxelWx3401-b0 Firmware Version-
   ZyxelWx3401-b0 Version-
ZyxelWx5600-t0 Firmware Version-
   ZyxelWx5600-t0 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.67% 0.814
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@zyxel.com.tw 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.