Post-Authentication Command Injection in Zyxel NBG6604 Router
CVE-2023-22919

8.8HIGH

Key Information:

Vendor: Zyxel
Status: Nbg6604 Firmware
Vendor: CVE Published:; 1 May 2023

What is CVE-2023-22919?

A post-authentication command injection vulnerability exists in the Zyxel NBG6604 Router firmware version V1.01(ABIR.0)C0. This flaw allows an authenticated attacker to execute arbitrary OS commands remotely. The attacker can exploit this vulnerability by crafting specific HTTP requests that leverage the underlying issues in the firmware. If successfully executed, this could lead to unauthorized access and control over the affected device, potentially compromising the network's security.

Affected Version(s)

NBG6604 firmware V1.01(ABIR.0)C0

References

https://www.zyxel.com/global/en/support/security-advisori...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2023
Vulnerability Reserved
Jan 10, 2023