CVE-2024-40891
Published: 04 February 2025
Summary
CVE-2024-40891 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Sbg3500-N000 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SA-22 (Unsupported System Components).
Deeper analysis
CVE-2024-40891 is a post-authentication command injection vulnerability, tracked under CWE-78, that affects the management command interface of the legacy Zyxel VMG4325-B10A DSL CPE running firmware version 1.00(AAFR.4)C0_20170615. The flaw permits an authenticated user to inject and execute arbitrary operating system commands on the device over Telnet. It carries a CVSS 3.1 score of 8.8 and is explicitly labeled unsupported when assigned.
An attacker who has already obtained valid credentials can connect via Telnet and leverage the management commands to run OS-level instructions, resulting in full compromise of the confidentiality, integrity, and availability of the affected CPE.
The Zyxel security advisory published on 4 February 2025 addresses command injection issues in certain legacy DSL CPE models, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
The vulnerability's EPSS score currently stands at 0.5324 with a recorded peak of 0.5630, reflecting sustained exploitation interest against this unsupported device.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38851
Vulnerability details
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
- CWE(s)
- KEV Date Added
- 11 February 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Post-auth command injection (CWE-78) directly enables arbitrary Unix shell/OS command execution on the device via Telnet management interface.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of information inputs to management commands, directly preventing command injection exploitation in the vulnerable Telnet interface.
Restricts system functionality to essentials by disabling unnecessary protocols like Telnet and excess management commands, eliminating exposure to the post-authentication injection point.
Prohibits use of unsupported system components like the legacy vulnerable firmware, directly addressing the unsupported status of the affected Zyxel device.