Insecure Permissions in Zyxel VMG5313-B30B Router
CVE-2020-24355

9.8CRITICAL

Key Information:

Vendor
Zyxel
Status
Vmg5313-b30b Firmware
Vendor
CVE Published:
2 September 2020

Summary

The Zyxel VMG5313-B30B router is affected by a security issue that allows unauthorized users to create and modify user accounts with elevated permissions. This vulnerability arises from improper handling of permissions in the account creation process, specifically by manipulating the 'FirstIndex' field in the JSON payload submitted during a POST request. Affected firmware version 5.13(ABCJ.6)b3_1127, as well as potentially older versions, may also allow users to delete accounts improperly, exacerbating the security risks. It is crucial for users of Zyxel routers to check for updates and patch their devices to prevent exploitation.

References

https://www.zyxel.com/support/security_advisories.shtml
x_refsource_MISC
https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B
x_refsource_MISC
https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B_part2
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.