Post-Authentication Command Injection Vulnerability
CVE-2024-42059

7.2HIGH

Key Information:

Vendor: Zyxel
Status: Atp Series Firmware; Usg Flex Series Firmware; Usg Flex 50(w) Series Firmware; Usg20(w)-vpn Series Firmware
Vendor: CVE Published:; 3 September 2024

Summary

A post-authentication command injection vulnerability exists in the firmware of multiple Zyxel products, specifically within the ATP series, USG FLEX series, and USG20(W)-VPN series. This vulnerability permits an authenticated attacker possessing administrator privileges to execute arbitrary operating system commands on affected devices. The exploitation vector involves uploading a specially crafted compressed language file via FTP. The following firmware versions are affected: ATP series from V5.00 to V5.38, USG FLEX series from V5.00 to V5.38, USG FLEX 50(W) series from V5.00 to V5.38, and USG20(W)-VPN series from V5.00 to V5.38. For further details and mitigations, it is advisable to refer to Zyxel's official security advisory.

Affected Version(s)

ATP series firmware versions V5.00 through V5.38

USG FLEX 50(W) series firmware versions V5.00 through V5.38

USG FLEX series firmware versions V5.00 through V5.38

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2024
Vulnerability Reserved
Jul 29, 2024