CVE-2024-42059

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions V5.00 through V5.38 Zyxel USG FLEX series versions V5.00 through V5.38 Zyxel USG FLEX 50(W) series versions V5.00 through V5.38 Zyxel USG20(W)-VPN series versions V5.00 through V5.38

Description A post-authentication command injection issue exists, related to the implementation of the File Transfer Protocol (FTP) in the firmware of Zyxel network devices. This could allow an authenticated attacker with administrator privileges to execute arbitrary OS commands on an affected device by uploading a specially crafted compressed language file via FTP. The exploitation of this issue may enable a remote attacker to execute commands on the device.

Recommendations For Zyxel ATP series versions V5.00 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG FLEX series versions V5.00 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG FLEX 50(W) series versions V5.00 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG20(W)-VPN series versions V5.00 through V5.38, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the FTP service to minimize the risk of exploitation.