Cyber Resilience

CVE-2024-11253

HighRCE

Published: 11 March 2025

Published
11 March 2025
Modified
11 March 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 57.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11253 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel VMG8825-T50K (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-11253 is a post-authentication command injection vulnerability (CWE-78) affecting the "DNSServer" parameter in the diagnostic function of Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by an authenticated attacker possessing administrator privileges, who can access the device over the network with low attack complexity and no user interaction required. Exploitation enables the execution of arbitrary operating system commands on the vulnerable device, granting the attacker substantial control over the system's underlying operations.

Zyxel has published a security advisory detailing the post-authentication command injection vulnerabilities in certain DSL, Ethernet CPE, fiber ONT, and WiFi extender devices, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025, which security practitioners should consult for patch information and mitigation guidance.

EU & UK References

Vulnerability details

A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The post-authentication command injection (CWE-78) in the diagnostic function directly enables execution of arbitrary OS commands on the Linux-based firmware device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44724Shared CWE-78
CVE-2026-22227Shared CWE-78
CVE-2024-40891Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78
CVE-2025-53949Shared CWE-78
CVE-2026-8652Shared CWE-78
CVE-2026-35071Shared CWE-78
CVE-2026-1460Shared CWE-78

Affected Assets

Zyxel
VMG8825-T50K
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by implementing input validation mechanisms on the vulnerable DNSServer parameter in the diagnostic function.

prevent

Remediates the specific post-authentication command injection flaw through timely identification and application of vendor firmware patches.

prevent

Minimizes attack surface by configuring the system to disable or restrict unnecessary diagnostic functions accessible to administrators.

References