CVE-2024-42060

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions V4.32 through V5.38 Zyxel USG FLEX series versions V4.50 through V5.38 Zyxel USG FLEX 50(W) series versions V4.16 through V5.38 Zyxel USG20(W)-VPN series versions V4.16 through V5.38

Description The issue is related to a post-authentication command injection vulnerability. It could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.

Recommendations For Zyxel ATP series versions V4.32 through V5.38, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series versions V4.50 through V5.38, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX 50(W) series versions V4.16 through V5.38, update to a version outside of this range to mitigate the risk. For Zyxel USG20(W)-VPN series versions V4.16 through V5.38, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the internal user agreement file upload feature until a patch is available.