Vmg1312 B10A Firmware
CVE-2024-40890
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
UNSUPPORTED WHEN ASSIGNED A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
AnalysisAI
Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication OS command injection in the CGI program, allowing authenticated attackers to execute OS commands via crafted HTTP POST requests. No patch available (EOL device).
Technical ContextAI
The CWE-78 command injection in the CGI handler passes user input from HTTP POST parameters to shell commands without proper sanitization.
RemediationAI
Replace the EOL device. If impossible, change default credentials, restrict management access to local network only.
More in Vmg1312 B10A Firmware
View allZyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani
**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B
ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A,
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today