7.2
CVE-2024-9200
- EPSS 1.43%
- Published 03.12.2024 02:15:17
- Last modified 21.01.2025 21:13:29
- Source security@zyxel.com.tw
- Teams watchlist Login
- Open Login
A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
Data is provided by the National Vulnerability Database (NVD)
Zyxel ≫ Emg6726-b10a Firmware Version < 5.13\(abnp.8\)c1
Zyxel ≫ Vmg3927-b50b Firmware Version < 5.13\(ably.9\)c1
Zyxel ≫ Vmg4005-b50a Firmware Version < 5.15\(abqa.2.3\)c0
Zyxel ≫ Vmg4005-b60a Firmware Version < 5.15\(abqa.2.3\)c0
Zyxel ≫ Vmg4005-b50b Firmware Version < 5.13\(abrl.5.2\)c0
Zyxel ≫ Vmg4927-b50a Firmware Version < 5.13\(ably.9\)c1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.43% | 0.8 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| security@zyxel.com.tw | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.