First published: Tue Feb 04 2025(Updated: )
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
Credit: security@zyxel.com.tw
Affected Software | Affected Version | How to fix |
---|---|---|
Zyxel DSL CPE devices | ||
Zyxel VMG4325-B10A firmware | ||
All of | ||
ZyXEL VMG1312-B10A | ||
ZyXEL VMG1312-B10A firmware | ||
All of | ||
Zyxel VMG1312-B10B | ||
Zyxel VMG1312-B10B Firmware | ||
All of | ||
Zyxel VMG1312-B10E | ||
Zyxel VMG1312-B10E | ||
All of | ||
Zyxel Vmg3313-b10a Firmware | ||
Zyxel VMG3312-B10A | ||
All of | ||
Zyxel Vmg3313-b10a Firmware | ||
Zyxel Vmg3313-b10a | ||
All of | ||
Zyxel VMG3926-B10B | ||
Zyxel VMG3926-B10B | ||
All of | ||
Zyxel VMG4325-B10A firmware | ||
Zyxel VMG4325-B10A firmware | ||
All of | ||
ZyXEL VMG4380-B10A | ||
ZyXEL VMG4380-B10A firmware | ||
All of | ||
ZyXEL VMG8324-B10A firmware | ||
zyxel vmg8324-b10a | ||
All of | ||
ZyXEL VMG8924-B10A | ||
ZyXEL VMG8924-B10A firmware | ||
All of | ||
ZyXEL SBG3300-N000 | ||
ZyXEL SBG3300-N000 firmware | ||
All of | ||
ZyXEL SBG3300-NB00 | ||
ZyXEL SBG3300-NB00 firmware | ||
All of | ||
ZyXEL SBG3500-N000 | ||
ZyXEL SBG3500-N000 | ||
All of | ||
Zyxel Sbg3500-nb00 Firmware | ||
Zyxel SBG3500-NB00 |
The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-40890 is classified as a critical vulnerability due to its potential to allow authenticated attackers to execute OS commands.
To mitigate CVE-2024-40890, users should upgrade to the latest firmware version provided by Zyxel, if available.
CVE-2024-40890 affects the Zyxel VMG4325-B10A device running firmware version 1.00(AAFR.4)C0_20170615.
CVE-2024-40890 requires authentication, so exploitation must be carried out by an attacker with valid user credentials.
Yes, there are reports indicating that attackers are actively exploiting CVE-2024-40890 in the wild.