CVE-2024-40890 | THREATINT

Description

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

PUBLISHED Reserved 2024-07-11 | Published 2025-02-04 | Updated 2025-10-21 | Assigner Zyxel

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Date added 2025-02-11 | Due date 2025-03-04

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

<= 1.00(AAFR.4)C0_20170615

affected

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2024-40890 government-resource

www.zyxel.com/...lities-in-certain-legacy-dsl-cpe-02-04-2025 vendor-advisory

cve.org (CVE-2024-40890)

nvd.nist.gov (CVE-2024-40890)

Download JSON