Cyber Resilience

CVE-2024-40890

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 04 February 2025

Published
04 February 2025
Modified
27 October 2025
KEV Added
11 February 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4588 97.7th percentile
Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40890 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Sbg3500-N000 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-40890 is a post-authentication command injection vulnerability, tracked under CWE-78, that affects the CGI program in the legacy Zyxel VMG4325-B10A DSL CPE running firmware version 1.00(AAFR.4)C0_20170615. The flaw permits an authenticated attacker to supply a crafted HTTP POST request that results in execution of arbitrary operating system commands on the device. The issue was assigned an 8.8 CVSS score reflecting network attack vector, low complexity, and full confidentiality, integrity, and availability impact.

An authenticated attacker with network access can exploit the vulnerability by sending a malicious POST request to the affected CGI endpoint, achieving remote command execution on the device. Because the device is marked unsupported, no vendor remediation is available for this firmware version.

The referenced Zyxel advisory addresses command injection issues in certain legacy DSL CPE models and notes the unsupported status of the VMG4325-B10A firmware. CISA has added CVE-2024-40890 to its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has reached 0.4588, indicating substantial exploitation interest.

EU & UK References

Vulnerability details

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a…

more

crafted HTTP POST request.

CWE(s)
KEV Date Added
11 February 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Post-auth command injection in network-exposed CGI directly enables exploitation of public-facing web app (T1190) and arbitrary Unix shell command execution (T1059.004) on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-40891Same product: Zyxel Sbg3300-N000both on KEV
CVE-2026-1459Same vendor: Zyxel
CVE-2025-13942Same vendor: Zyxel
CVE-2026-7256Same vendor: Zyxel
CVE-2025-13943Same vendor: Zyxel
CVE-2025-0890Same product: Zyxel Sbg3300-N000
CVE-2025-58034Shared CWE-78both on KEV
CVE-2025-9377Shared CWE-78both on KEV
CVE-2025-1316Shared CWE-78both on KEV
CVE-2025-8693Same vendor: Zyxel

Affected Assets

zyxel
vmg1312-b10a firmware
all versions
zyxel
vmg1312-b10b firmware
all versions
zyxel
vmg1312-b10e firmware
all versions
zyxel
vmg3312-b10a firmware
all versions
zyxel
vmg3313-b10a firmware
all versions
zyxel
vmg3926-b10b firmware
all versions
zyxel
vmg4325-b10a firmware
all versions
zyxel
vmg4380-b10a firmware
all versions
zyxel
vmg8324-b10a firmware
all versions
zyxel
vmg8924-b10a firmware
all versions
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validating all inputs to the vulnerable CGI program, directly preventing command injection via crafted HTTP POST requests in CVE-2024-40890.

prevent

SA-22 prohibits or applies safeguards to unsupported system components like the legacy Zyxel VMG4325-B10A firmware, mitigating exploitation of this unpatchable vulnerability.

preventrecover

SI-2 mandates identifying, reporting, and correcting flaws like CVE-2024-40890, including isolating or replacing affected legacy CPE devices listed in CISA KEV.

References