Cyber Resilience

CVE-2024-12009

HighRCE

Published: 11 March 2025

Published
11 March 2025
Modified
11 March 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 57.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12009 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel EX5601-T1 (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-12009 is a post-authentication command injection vulnerability (CWE-78) in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier. This flaw allows arbitrary operating system command execution on affected devices, earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables full control over the device, including high-impact compromise of confidentiality, integrity, and availability through arbitrary OS command execution.

The Zyxel security advisory provides details on mitigation, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025. Security practitioners should consult this for patching instructions and affected device lists.

EU & UK References

Vulnerability details

A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The post-authentication command injection vulnerability allows arbitrary OS command execution on a network-accessible device, directly enabling exploitation of public-facing applications (T1190) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2026-40111Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2019-25224Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78

Affected Assets

Zyxel
EX5601-T1
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability by requiring timely identification, reporting, and remediation of flaws through firmware patching as recommended in the Zyxel advisory.

prevent

Prevents command injection attacks like CVE-2024-12009 by validating and sanitizing inputs to the ZyEE function to block arbitrary OS command execution.

prevent

Limits the impact of post-authentication exploitation by enforcing least privilege, ensuring administrator accounts lack unnecessary permissions for arbitrary OS command execution.

References