CVE-2024-8881

Name of the Vulnerable Software and Affected Versions: Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier

Description: A post-authentication command injection issue in the CGI program of the Zyxel GS1900-48 switch firmware could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system (OS) commands on an affected device by sending a crafted HTTP request. The vulnerability is related to the failure to neutralize special elements used in an OS command.

Recommendations: For Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier, consider disabling the CGI program temporarily as a workaround until a patch is available. Restrict access to the CGI interface to minimize the risk of exploitation. Avoid using the vulnerable firmware version until an update is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.