Unauthenticated Command Injection Vulnerability in Zyxel NWA1100-N Firmware Could Allow Access to System Files
CVE-2024-8234

9.8CRITICAL

Key Information:

Vendor: Zyxel
Status: Nwaw1100-n Firmware
Vendor: CVE Published:; 30 August 2024

Summary

A command injection vulnerability exists in the Zyxel NWA1100-N firmware that permits an unauthenticated attacker to exploit functions such as formSysCmd(), formUpgradeCert(), and formDelcert(). This exploitation could lead to unauthorized execution of OS commands, potentially allowing access to sensitive system files on the device. Administrators are urged to assess their systems and apply mitigations or updates as necessary to safeguard against potential attacks.

References

https://webservice.zyxel.com/eol/ArchivedEOLModel.pdf

https://github.com/GroundCTL2MajorTom/pocs/blob/main/zyxe...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 30, 2024