Vmg4325 B10A Firmware
CVE-2025-0890
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
UNSUPPORTED WHEN ASSIGNED Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.
AnalysisAI
UNSUPPORTED WHEN ASSIGNED Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 23.8% and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. UNSUPPORTED WHEN ASSIGNED Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. Affected products include: Zyxel Vmg4325-B10A Firmware, Zyxel Sbg3500-N000 Firmware, Zyxel Vmg1312-B10A Firmware, Zyxel Vmg1312-B10B Firmware, Zyxel Vmg1312-B10E Firmware. Version information: version 1.00.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.
More in Vmg4325 B10A Firmware
View allZyxel VMG4325-B10A legacy DSL CPE contains post-authentication command injection via Telnet management commands, compani
Zyxel VMG4325-B10A legacy DSL CPE contains post-authentication OS command injection in the CGI program, allowing authent
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today