CVE-2024-9200

Name of the Vulnerable Software and Affected Versions: Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0

Description: The issue is related to a post-authentication command injection vulnerability in the host parameter of the diagnostic function. This vulnerability could allow an authenticated attacker with administrator privileges to execute operating system commands on a vulnerable device. The vulnerability is due to the lack of measures to neutralize special elements used in the operating system command.

Recommendations: For Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0, consider disabling the diagnostic function temporarily until a patch is available. Restrict access to the host parameter in the diagnostic function to minimize the risk of exploitation. Avoid using the host parameter in the affected diagnostic function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.