Cyber Resilience

CVE-2024-40891

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 04 February 2025

Published
04 February 2025
Modified
27 October 2025
KEV Added
11 February 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5324 98.0th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40891 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Sbg3500-N000 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SA-22 (Unsupported System Components).

Deeper analysis

CVE-2024-40891 is a post-authentication command injection vulnerability, tracked under CWE-78, that affects the management command interface of the legacy Zyxel VMG4325-B10A DSL CPE running firmware version 1.00(AAFR.4)C0_20170615. The flaw permits an authenticated user to inject and execute arbitrary operating system commands on the device over Telnet. It carries a CVSS 3.1 score of 8.8 and is explicitly labeled unsupported when assigned.

An attacker who has already obtained valid credentials can connect via Telnet and leverage the management commands to run OS-level instructions, resulting in full compromise of the confidentiality, integrity, and availability of the affected CPE.

The Zyxel security advisory published on 4 February 2025 addresses command injection issues in certain legacy DSL CPE models, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

The vulnerability's EPSS score currently stands at 0.5324 with a recorded peak of 0.5630, reflecting sustained exploitation interest against this unsupported device.

EU & UK References

Vulnerability details

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.

CWE(s)
KEV Date Added
11 February 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Post-auth command injection (CWE-78) directly enables arbitrary Unix shell/OS command execution on the device via Telnet management interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-40890Same product: Zyxel Sbg3300-N000both on KEV
CVE-2025-0890Same product: Zyxel Sbg3300-N000
CVE-2026-1459Same vendor: Zyxel
CVE-2025-13942Same vendor: Zyxel
CVE-2026-7256Same vendor: Zyxel
CVE-2025-13943Same vendor: Zyxel
CVE-2025-58034Shared CWE-78both on KEV
CVE-2025-64328Shared CWE-78both on KEV
CVE-2025-8693Same vendor: Zyxel
CVE-2025-9377Shared CWE-78both on KEV

Affected Assets

zyxel
vmg1312-b10a firmware
all versions
zyxel
vmg1312-b10b firmware
all versions
zyxel
vmg1312-b10e firmware
all versions
zyxel
vmg3312-b10a firmware
all versions
zyxel
vmg3313-b10a firmware
all versions
zyxel
vmg3926-b10b firmware
all versions
zyxel
vmg4325-b10a firmware
all versions
zyxel
vmg4380-b10a firmware
all versions
zyxel
vmg8324-b10a firmware
all versions
zyxel
vmg8924-b10a firmware
all versions
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs to management commands, directly preventing command injection exploitation in the vulnerable Telnet interface.

prevent

Restricts system functionality to essentials by disabling unnecessary protocols like Telnet and excess management commands, eliminating exposure to the post-authentication injection point.

prevent

Prohibits use of unsupported system components like the legacy vulnerable firmware, directly addressing the unsupported status of the affected Zyxel device.

References