CVE-2024-40890: A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A...

8.8 CVSS

Description

A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

Known Exploited

🚨 Marked as known exploited on February 11th, 2025 (2 months ago).

Classification

CVE ID: CVE-2024-40890

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: Zyxel

Product: VMG4325-B10A firmware

Exploit Prediction Scoring System (EPSS)

EPSS Score: 4.13% (probability of being exploited)

EPSS Percentile: 92.25% (scored less or equal to compared to others)

EPSS Date: 2025-03-05 (when was this score calculated)

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

Timeline

2025-02-05 00:49:13 UTC
CVE

A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A...
2025-02-11 18:30:26 UTC
CISA KEV

Zyxel DSL CPE OS Command Injection Vulnerability
2025-02-11 18:31:41 UTC
🚨 Marked as Known Exploited