CVE-2024-8234
Published: 30 August 2024
Summary
CVE-2024-8234 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Nwaw1100-N Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-8234 is a command injection vulnerability, tracked under CWE-78, that affects the Zyxel NWA1100-N wireless access point running firmware version 1.00(AACE.1)C0. The flaw resides in the functions formSysCmd(), formUpgradeCert(), and formDelcert(), which fail to properly sanitize input and permit execution of arbitrary operating system commands. The issue was assigned a CVSS 3.1 score of 7.5 and is explicitly marked unsupported when assigned.
An unauthenticated attacker with network access can invoke the affected functions to run OS commands on the device, enabling read access to system files without requiring credentials or user interaction. The attack vector is rated as low complexity and can be performed remotely over the network.
The referenced materials include a public proof-of-concept exploit and Zyxel’s archived EOL model list, indicating that the NWA1100-N has reached end-of-life status with no vendor patches or ongoing support available. The EPSS score has remained essentially flat near 0.07 with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49039
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the functions formSysCmd(), formUpgradeCert(), and formDelcert() in the Zyxel NWA1100-N firmware version 1.00(AACE.1)C0 could allow an unauthenticated attacker to execute some OS commands to access system files on an affected…
more
device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated command injection in web functions enables exploitation of public-facing application (T1190), network device command execution (T1059.008), and system file access (T1005).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.