Command Injection Vulnerability in Zyxel Legacy DSL CPE
CVE-2024-40890

8.8HIGH

Key Information:

Vendor
Zyxel
Status
Vmg4325-b10a Firmware
Vendor
CVE Published:
4 February 2025

Badges

📈 Score: 364👾 Exploit Exists🦅 CISA Reported📰 News Worthy

What is CVE-2024-40890?

CVE-2024-40890 is a command injection vulnerability identified in the CGI program associated with the legacy DSL CPE device, Zyxel VMG4325-B10A. This vulnerability allows an authenticated attacker, through a deliberate HTTP POST request, to execute operating system commands on the affected device. The existence of this vulnerability in a widely used telecommunications product can lead to severe security ramifications for organizations relying on such devices for their internet connectivity, as it could compromise the integrity and reliability of their networks.

Technical Details

The vulnerability resides specifically within the firmware version 1.00(AAFR.4)C0_20170615 of the Zyxel VMG4325-B10A. It is characterized as a post-authentication issue, meaning that an attacker must first gain authenticated access to exploit it. By sending specially crafted requests to the CGI program of the device, an attacker could potentially run arbitrary commands on the operating system level, allowing them to manipulate the device’s functionality or access sensitive data.

Potential impact of CVE-2024-40890

  1. Unauthorized Access and Control: The primary risk is that authorized users could exploit this vulnerability to gain deeper access to the networked systems, potentially leading to unauthorized modifications or control of devices connected to the legacy DSL CPE.

  2. Data Compromise: Given the capability to execute operating system commands, an attacker could access or exfiltrate sensitive data stored or processed by the device, which may include user credentials or other critical information.

  3. Network Integrity and Service Disruption: By taking control of the device, an attacker could disrupt services, manipulate network traffic, or deploy further malicious exploits, jeopardizing the overall integrity and availability of the organization's network infrastructure.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

Affected Version(s)

VMG4325-B10A firmware <= 1.00(AAFR.4)C0_20170615

News Articles

favicon imageTechTarget

Zyxel won't patch end-of-life routers against zero-day attacks | Te...

Networking hardware vendor Zyxel on Tuesday said it has no plans to patch affected end-of-life routers against three exploited zero-day vulnerabilities.

References

https://www.zyxel.com/global/en/support/security-advisori...
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by TechTarget

  • Vulnerability published

  • Vulnerability Reserved

.