CVE-2024-12010
Published: 11 March 2025
Summary
CVE-2024-12010 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel AX7501-B1 (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12010 is a post-authentication command injection vulnerability (CWE-78) in the zyUtilMailSend function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier. Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
An authenticated attacker with administrator privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation enables execution of arbitrary operating system commands on the vulnerable device.
The Zyxel security advisory provides details on mitigation: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerabilities-in-certain-dsl-ethernet-cpe-fiber-ont-and-wifi-extender-devices-03-11-2025.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54138
Vulnerability details
A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth command injection (CWE-78) in network device firmware directly enables remote arbitrary OS command execution after admin auth, mapping to T1190 (exploiting public-facing app) and T1059.004 (Unix shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information input validation directly prevents command injection by sanitizing user inputs to the zyUtilMailSend function before OS command execution.
Flaw remediation requires timely patching of the specific command injection vulnerability in the Zyxel AX7501-B1 firmware.
Least privilege restricts administrator accounts from executing arbitrary OS commands, limiting the impact of successful exploitation.