CVE-2019-15800

Name of the Vulnerable Software and Affected Versions Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0

Description An issue exists due to a lack of input validation in the cmd sys traceroute exec(), cmd sys arp clear(), and cmd sys ping exec() functions in the libclicmd.so library. This could allow an attacker to execute arbitrary commands on the switches by leveraging these functions to call system(). Although these functions are not currently called in this version of the firmware, an attacker could potentially use other vulnerabilities to gain code execution.

Recommendations For Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0, update the firmware to version 2.50(AAHH.0)C0 or later to resolve the issue. As a temporary workaround, consider restricting access to the cmd sys traceroute exec(), cmd sys arp clear(), and cmd sys ping exec() functions in the libclicmd.so library until a patch is available.