CVE-2024-40890

Name of the Vulnerable Software and Affected Versions Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0 20170615

Description A post-authentication command injection issue in the CGI program could allow an authenticated attacker to execute operating system commands on an affected device by sending a crafted HTTP POST request. The vulnerability exists due to the failure to neutralize special elements used in the operating system command. An attacker could exploit this vulnerability to execute arbitrary commands with "supervisor" or "zyuser" privileges by sending specially crafted network requests via the HTTP protocol.

Recommendations For Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0 20170615, consider disabling the CGI program temporarily as a workaround until a patch is available. Restrict access to the CGI program to minimize the risk of exploitation. Avoid using the device until the issue is resolved or an update is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.