What is the CVSS score of CVE-2024-40890?

CVE-2024-40890 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 45.9%.

Which versions of Vmg1312 B10A Firmware are affected by CVE-2024-40890?

Organizations using the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware face significant risk from CVE-2024-40890, a OS command injection vulnerability rated CVSS 8.8.

Is CVE-2024-40890 being actively exploited?

Yes, CVE-2024-40890 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2024-40890?

Within 24 hours: Identify all affected systems running the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A fir and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Vmg1312 B10A Firmware CVE-2024-40890

HIGH

OS Command Injection (CWE-78)

2025-02-04 security@zyxel.com.tw

Command Injection Zyxel Vmg1312 B10A Firmware Vmg1312 B10B Firmware Vmg1312 B10E Firmware Vmg3312 B10A Firmware Vmg3313 B10A Firmware Vmg3926 B10B Firmware Vmg4325 B10A Firmware Vmg4380 B10A Firmware Vmg8324 B10A Firmware Vmg8924 B10A Firmware Sbg3300 N000 Firmware Sbg3300 Nb00 Firmware Sbg3500 N000 Firmware Sbg3500 Nb00 Firmware

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:24 vuln.today

Added to CISA KEV

Oct 27, 2025 - 17:04 cisa

CISA KEV

CVE Published

Feb 04, 2025 - 10:15 nvd

HIGH 8.8

DescriptionNVD

UNSUPPORTED WHEN ASSIGNED A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

AnalysisAI

Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication OS command injection in the CGI program, allowing authenticated attackers to execute OS commands via crafted HTTP POST requests. No patch available (EOL device).

Technical ContextAI

The CWE-78 command injection in the CGI handler passes user input from HTTP POST parameters to shell commands without proper sanitization.

RemediationAI

Replace the EOL device. If impossible, change default credentials, restrict management access to local network only.

CVE-2024-40890 vulnerability details – vuln.today

Back

Vmg1312 B10A Firmware CVE-2024-40890

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code