Command Injection Vulnerability in Zyxel DSL CPE Firmware
CVE-2024-40891
Key Information:
- Vendor
- Zyxel
- Status
- Vendor
- CVE Published:
- 4 February 2025
Badges
What is CVE-2024-40891?
CVE-2024-40891 is a command injection vulnerability found in the Zyxel DSL CPE firmware, specifically impacting the VMG4325-B10A model running a legacy firmware version. This vulnerability allows an authenticated attacker to execute arbitrary operating system commands on the affected device through a Telnet interface. With such a capability, attackers can gain unauthorized control over network devices, potentially leading to serious security breaches within an organization. Given the role of DSL customer premises equipment (CPE) in network connectivity, the exploitation of this vulnerability could jeopardize the integrity and availability of organizational networks.
Technical Details
The vulnerability is categorized as a post-authentication command injection flaw, meaning that it requires an attacker to first authenticate to the device to exploit it. The command injection occurs in the handling of management commands within the firmware. Once authenticated, a malicious user can inject commands that are executed in the system's context, thus breaching the security of the device and the network it supports. The specific firmware version affected is 1.00(AAFR.4)C0_20170615, and the vulnerability remains unaddressed, as the issue is listed as unsupported when assigned.
Potential Impact of CVE-2024-40891
-
Unauthorized Control: The primary risk of this vulnerability is the potential for unauthorized control over the affected devices, allowing attackers to modify configurations or gain access to sensitive data transmitted through the network.
-
Network Compromise: Exploitation could lead to broader network security incidents, where an attacker gains entry into the organization’s network and can pivot to other systems or sensitive resources, potentially facilitating further attacks.
-
Service Disruption: Command injection vulnerabilities can also be used to disrupt services by altering system functionalities, which may lead to downtime or impaired functionality of network services for users relying on the affected devices.
Affected Version(s)
VMG4325-B10A firmware <= 1.00(AAFR.4)C0_20170615
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
Zyxel won’t patch newly exploited flaws in end-of-life routers
Zyxel has issued a security advisory about actively exploited flaws in CPE Series devices, warning that it has no plans to issue fixing patches and urging users to move to actively supported models.
20 hours ago
Medical monitoring machines spotted stealing patient data
Infosec in brief The United States Food and Drug Administration has told medical facilities and caregivers that monitor patients using Contec equipment to disconnect the devices from the internet ASAP. The...
3 days ago
Fix Critical Tenda AC8 Router Vulnerability CVE-2024-40891
Learn how to mitigate the critical security vulnerability CVE-2024-40891 in Tenda AC8 routers. Step-by-step guide for security professionals.
5 days ago
References
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
Vulnerability published
- 📰
First article discovered by The Hacker News
Vulnerability Reserved