CVE-2024-40890
Published: 04 February 2025
Summary
CVE-2024-40890 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Sbg3500-N000 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-40890 is a post-authentication command injection vulnerability, tracked under CWE-78, that affects the CGI program in the legacy Zyxel VMG4325-B10A DSL CPE running firmware version 1.00(AAFR.4)C0_20170615. The flaw permits an authenticated attacker to supply a crafted HTTP POST request that results in execution of arbitrary operating system commands on the device. The issue was assigned an 8.8 CVSS score reflecting network attack vector, low complexity, and full confidentiality, integrity, and availability impact.
An authenticated attacker with network access can exploit the vulnerability by sending a malicious POST request to the affected CGI endpoint, achieving remote command execution on the device. Because the device is marked unsupported, no vendor remediation is available for this firmware version.
The referenced Zyxel advisory addresses command injection issues in certain legacy DSL CPE models and notes the unsupported status of the VMG4325-B10A firmware. CISA has added CVE-2024-40890 to its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has reached 0.4588, indicating substantial exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38809
Vulnerability details
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a…
more
crafted HTTP POST request.
- CWE(s)
- KEV Date Added
- 11 February 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth command injection in network-exposed CGI directly enables exploitation of public-facing web app (T1190) and arbitrary Unix shell command execution (T1059.004) on the device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validating all inputs to the vulnerable CGI program, directly preventing command injection via crafted HTTP POST requests in CVE-2024-40890.
SA-22 prohibits or applies safeguards to unsupported system components like the legacy Zyxel VMG4325-B10A firmware, mitigating exploitation of this unpatchable vulnerability.
SI-2 mandates identifying, reporting, and correcting flaws like CVE-2024-40890, including isolating or replacing affected legacy CPE devices listed in CISA KEV.