CVE-2024-40890

Warnung

EPSS 24.08%
Veröffentlicht 04.02.2025 10:15:08
Zuletzt bearbeitet 12.02.2025 18:12:16
Quelle security@zyxel.com.tw
Teams Watchlist Login
Unerledigt Login

**UNSUPPORTED WHEN ASSIGNED**
A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zyxel ≫ Vmg1312-b10a Firmware Version-

Zyxel ≫ Vmg1312-b10a Version-

Zyxel ≫ Vmg1312-b10b Firmware Version-

Zyxel ≫ Vmg1312-b10b Version-

Zyxel ≫ Vmg1312-b10e Firmware Version-

Zyxel ≫ Vmg1312-b10e Version-

Zyxel ≫ Vmg3312-b10a Firmware Version-

Zyxel ≫ Vmg3312-b10a Version-

Zyxel ≫ Vmg3313-b10a Firmware Version-

Zyxel ≫ Vmg3313-b10a Version-

Zyxel ≫ Vmg3926-b10b Firmware Version-

Zyxel ≫ Vmg3926-b10b Version-

Zyxel ≫ Vmg4325-b10a Firmware Version-

Zyxel ≫ Vmg4325-b10a Version-

Zyxel ≫ Vmg4380-b10a Firmware Version-

Zyxel ≫ Vmg4380-b10a Version-

Zyxel ≫ Vmg8324-b10a Firmware Version-

Zyxel ≫ Vmg8324-b10a Version-

Zyxel ≫ Vmg8924-b10a Firmware Version-

Zyxel ≫ Vmg8924-b10a Version-

Zyxel ≫ Sbg3300-n000 Firmware Version-

Zyxel ≫ Sbg3300-n000 Version-

Zyxel ≫ Sbg3300-nb00 Firmware Version-

Zyxel ≫ Sbg3300-nb00 Version-

Zyxel ≫ Sbg3500-n000 Firmware Version-

Zyxel ≫ Sbg3500-nb00 Firmware Version-

Zyxel ≫ Sbg3500-nb00 Version-

11.02.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Zyxel DSL CPE OS Command Injection Vulnerability

Schwachstelle

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.

Beschreibung

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	24.08%	0.959

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@zyxel.com.tw	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-40890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-40890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-40890

EUVD