HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2024-40890

CVSS 8.8v3.1pub. 2025-02-04upd. 2025-10-27

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Zyxel Sbg3300 N000

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Sbg3300 N000 Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Sbg3300 Nb00

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Sbg3300 Nb00 Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Sbg3500 N000 Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Sbg3500 Nb00

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Sbg3500 Nb00 Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg1312 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg1312 B10a Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg1312 B10b

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg1312 B10b Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg1312 B10e

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg1312 B10e Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg3312 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg3312 B10a Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg3313 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg3313 B10a Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg3926 B10b

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg3926 B10b Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg4325 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg4325 B10a Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg4380 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg4380 B10a Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg8324 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg8324 B10a Firmware

    OS
    Zyxel
    wszystkie wersje
  • Zyxel Vmg8924 B10a

    HW
    Zyxel
    wszystkie wersje
  • Zyxel Vmg8924 B10a Firmware

    OS
    Zyxel
    wszystkie wersje

CISA KEV — detailsi

Vendori
Zyxel
Producti
DSL CPE Devices
Added to KEVi
February 11, 2025
Remediation deadline (US Federal)i
March 4, 2025(overdue)
Required action (CISA)i

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

CISA descriptioni

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 4 marca 2025
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2025-0890CRITICAL9.8PL ✓ten sam produkt

Domyślne dane logowania Telnet w legacy DSL CPE Zyxel — Auth Bypass

CVE-2024-40891HIGH8.8⚠ KEVten sam produkt

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands...

CVE-2015-7256MEDIUM5.9ten sam produkt

ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG...

CVE-2023-27992CRITICAL9.8⚠ KEVten sam vendor

The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AA...

CVE-2023-33009CRITICAL9.8⚠ KEVten sam vendor

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 throug...