CVE-2024-40890

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-40890
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40890 US Government Resource
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:vmg1312-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg1312-b10a:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:vmg1312-b10b_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg1312-b10b:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zyxel:vmg1312-b10e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg1312-b10e:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zyxel:vmg3312-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg3312-b10a:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:zyxel:vmg3313-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg3313-b10a:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:zyxel:vmg3926-b10b_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg3926-b10b:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:zyxel:vmg4325-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg4325-b10a:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:zyxel:vmg4380-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg4380-b10a:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:zyxel:vmg8324-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg8324-b10a:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:zyxel:vmg8924-b10a_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:vmg8924-b10a:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:zyxel:sbg3300-n000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:sbg3300-n000:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:zyxel:sbg3300-nb00_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:sbg3300-nb00:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:zyxel:sbg3500-n000_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:sbg3500-n000_firmware:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:zyxel:sbg3500-nb00_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:sbg3500-nb00:-:*:*:*:*:*:*:*
History

No history.

Information

Published : 2025-02-04 10:15

Updated : 2025-10-27 17:04

NVD link : CVE-2024-40890

Mitre link : CVE-2024-40890

CVE.ORG link : CVE-2024-40890

JSON object : View

Products Affected

zyxel

  • sbg3300-n000
  • sbg3500-n000_firmware
  • vmg1312-b10a_firmware
  • vmg1312-b10e
  • vmg1312-b10b_firmware
  • vmg3313-b10a
  • vmg1312-b10e_firmware
  • vmg8324-b10a_firmware
  • sbg3300-nb00
  • vmg3926-b10b_firmware
  • vmg3312-b10a
  • sbg3500-nb00
  • vmg1312-b10b
  • vmg4380-b10a_firmware
  • vmg3312-b10a_firmware
  • sbg3300-nb00_firmware
  • vmg8924-b10a
  • vmg3313-b10a_firmware
  • vmg1312-b10a
  • vmg4380-b10a
  • vmg8924-b10a_firmware
  • vmg8324-b10a
  • sbg3300-n000_firmware
  • vmg4325-b10a
  • sbg3500-nb00_firmware
  • vmg3926-b10b
  • vmg4325-b10a_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')