CVE-2024-11253

HighRCE

Published: 11 March 2025

Published

11 March 2025

Modified

11 March 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11253 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel VMG8825-T50K (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 43.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by implementing input validation mechanisms on the vulnerable DNSServer parameter in the diagnostic function.

SI-2 Flaw Remediation good match

prevent

Remediates the specific post-authentication command injection flaw through timely identification and application of vendor firmware patches.

CM-7 Least Functionality partial match

prevent

Minimizes attack surface by configuring the system to disable or restrict unnecessary diagnostic functions accessible to administrators.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The post-authentication command injection (CWE-78) in the diagnostic function directly enables execution of arbitrary OS commands on the Linux-based firmware device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

Deeper analysisAI

CVE-2024-11253 is a post-authentication command injection vulnerability (CWE-78) affecting the "DNSServer" parameter in the diagnostic function of Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by an authenticated attacker possessing administrator privileges, who can access the device over the network with low attack complexity and no user interaction required. Exploitation enables the execution of arbitrary operating system commands on the vulnerable device, granting the attacker substantial control over the system's underlying operations.

Zyxel has published a security advisory detailing the post-authentication command injection vulnerabilities in certain DSL, Ethernet CPE, fiber ONT, and WiFi extender devices, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025, which security practitioners should consult for patch information and mitigation guidance.