Post-Authentication Command Injection Vulnerability Affects Zyxel ATP Series devices
CVE-2024-42060

7.2HIGH

Key Information:

Vendor: Zyxel
Status: Atp Series Firmware; Usg Flex Series Firmware; Usg Flex 50(w) Series Firmware; Usg20(w)-vpn Series Firmware
Vendor: CVE Published:; 3 September 2024

Summary

The vulnerability in Zyxel products is a post-authentication command injection flaw that permits an authenticated user with administrative privileges to execute arbitrary operating system commands. This exploit arises when a crafted internal user agreement file is uploaded to affected devices, specifically those running vulnerable firmware versions across various Zyxel firewall product lines. Organizations using Zyxel ATP series, USG FLEX series, and USG20 VPN series should evaluate their systems for these vulnerabilities to prevent potential exploitation.

Affected Version(s)

ATP series firmware versions V4.32 through V5.38

USG FLEX 50(W) series firmware versions V4.16 through V5.38

USG FLEX series firmware versions V4.50 through V5.38

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 3, 2024
Vulnerability Reserved
Jul 29, 2024