CVE-2024-40890
Zyxel DSL CPE OS Command Injection Vulnerability
CVSS
—
No CVSS
EPSS
22.4%
p97
KEV
YES
Feb 11, 2025
Exploit Today
79
0-100
Published: — · Last modified: —
Product
Zyxel / DSL CPE Devices
Vulnerability
Zyxel DSL CPE OS Command Injection Vulnerability
Added to KEV
Feb 11, 2025
Remediate by
Mar 4, 2025
Known ransomware use
No
Summary description
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.
Required action
The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Notes
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 ; https://www.zyxel.com/service-provider/global/en/security-advisories/zyxel-security-advisory-command-injection-insecure-in-certain-legacy-dsl-cpe-02-04-2025 ; https://nvd.nist.gov/vuln/detail/CVE-2024-40890