CVE-2024-40890

CVE-2024-40890 is a post-authentication command injection vulnerability (CWE-78) affecting the CGI program in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. Marked as unsupported when assigned, it enables an authenticated attacker to execute arbitrary operating system commands on the device through a crafted HTTP POST request. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

The attack requires low-privilege authenticated access (PR:L) over the network, with no user interaction needed. An attacker can send a specially crafted HTTP POST request to the vulnerable CGI program, injecting and executing OS commands, potentially leading to full device compromise, including data exfiltration, modification of configurations, or disruption of services.

Zyxel has issued a security advisory addressing this command injection vulnerability alongside insecure default credentials in certain legacy DSL CPE devices. The CVE is also listed in the CISA Known Exploited Vulnerabilities Catalog, signaling real-world exploitation.

Given its presence in the CISA KEV catalog, security practitioners should prioritize identifying and isolating affected legacy devices, as no firmware patches are available for this unsupported version.