CVE-2024-40891
Published: 04 February 2025
Description
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
Security Summary
CVE-2024-40891 is a post-authentication command injection vulnerability (CWE-78) in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. The flaw, published on 2025-02-04, allows an authenticated attacker to execute arbitrary operating system commands on an affected device via Telnet. The vulnerability was marked as unsupported when assigned, indicating no vendor support at the time of disclosure.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation enables high-impact disruption to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. Attackers gain the ability to run OS commands, potentially leading to full device compromise.
Zyxel's security advisory details the command injection vulnerability alongside insecure default credentials issues in certain legacy DSL CPE devices. The advisory is available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025.
The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40891), signaling real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 11 February 2025