Cyber Resilience

CVE-2024-12398

High

Published: 14 January 2025

Published
14 January 2025
Modified
21 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 64.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12398 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Zyxel Nwa50Ax Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-12398 is an improper privilege management vulnerability, classified under CWE-269, affecting the web management interface in Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2). It enables an authenticated user with limited privileges to escalate their access to administrator level, allowing them to upload configuration files to the vulnerable device. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker requires network access to the web management interface and valid credentials for a limited-privilege account, which could be obtained through weak passwords, prior compromises, or social engineering. Once authenticated, exploitation is straightforward with low complexity and no user interaction needed, leading to privilege escalation. Successful exploitation grants administrator rights, enabling configuration file uploads that could facilitate further persistence, backdoor installation, or full device takeover.

Zyxel has published a security advisory detailing the issue, available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-improper-privilege-management-vulnerability-in-aps-and-security-router-devices-01-14-2025, which security practitioners should consult for recommended mitigations and patches.

EU & UK References

Vulnerability details

An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited privileges to escalate their privileges to that of an…

more

administrator, enabling them to upload configuration files to a vulnerable device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct vertical privilege escalation via improper privilege management in authenticated web interface, matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13835Shared CWE-269
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2024-47770Shared CWE-269
CVE-2025-24254Shared CWE-269

Affected Assets

zyxel
nwa50ax firmware
≤ 7.10\(abyw.1\)
zyxel
nwa50ax pro firmware
≤ 7.10\(acge.1\)
zyxel
nwa55axe firmware
≤ 7.10\(abzl.1\)
zyxel
nwa90ax firmware
≤ 7.10\(accv.1\)
zyxel
nwa90ax pro firmware
≤ 7.10\(acgf.1\)
zyxel
nwa110ax firmware
≤ 7.10\(abtg.1\)
zyxel
nwa130be firmware
≤ 7.10\(acil.1\)
zyxel
nwa210ax firmware
≤ 7.10\(abtd.1\)
zyxel
nwa220ax-6e firmware
≤ 7.10\(acco.1\)
zyxel
nwa1123acv3 firmware
≤ 6.70\(abvt.6\)
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 enforces least privilege by ensuring limited-privilege users cannot access or perform administrator functions like privilege escalation and configuration uploads.

prevent

AC-3 requires the system to enforce approved access control policies, preventing limited users from escalating privileges in the web management interface.

prevent

AC-2 mandates proper management of accounts and privileges, including review and assignment of minimal privileges to mitigate improper privilege management vulnerabilities.

References