CVE-2024-40891
Published: 04 February 2025
Summary
CVE-2024-40891 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Sbg3500-N000 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SA-22 (Unsupported System Components).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of information inputs to management commands, directly preventing command injection exploitation in the vulnerable Telnet interface.
Restricts system functionality to essentials by disabling unnecessary protocols like Telnet and excess management commands, eliminating exposure to the post-authentication injection point.
Prohibits use of unsupported system components like the legacy vulnerable firmware, directly addressing the unsupported status of the affected Zyxel device.
NVD Description
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
Deeper analysisAI
CVE-2024-40891 is a post-authentication command injection vulnerability (CWE-78) in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. The flaw, published on 2025-02-04, allows an authenticated attacker to execute arbitrary operating system commands on an affected device via Telnet. The vulnerability was marked as unsupported when assigned, indicating no vendor support at the time of disclosure.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation enables high-impact disruption to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 8.8. Attackers gain the ability to run OS commands, potentially leading to full device compromise.
Zyxel's security advisory details the command injection vulnerability alongside insecure default credentials issues in certain legacy DSL CPE devices. The advisory is available at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025.
The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-40891), signaling real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 11 February 2025