Home / Vulnerabilities / CVE-2024-40890
HIGH SEVERITY
CVE-2024-40890 Zyxel · DSL CPE Devices

Zyxel DSL CPE OS Command Injection Vulnerability

Technical Severity

CVSS v3.1 Metrics

HIGH
8.8 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation Likelihood

EPSS Prediction

13.04 %
Predictive Probability
Percentile Rank
93.9 th

Documented as more likely to be exploited than 93.9% of known CVEs.

Detection Date

Feb 11, 2025

Remediation Due

Mar 04, 2025

CISA Catalog Active

Threat Analysis

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.

Remediation Directive

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

External Intelligence

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

https://www.zyxel.com/service-provider/global/en/security-advisories/zyxel-security-advisory-command-injection-insecure-in-certain-legacy-dsl-cpe-02-04-2025

https://www.zyxel.com/service-provider/global/en/security-advisories/zyxel-security-advisory-command-injection-insecure-in-certain-legacy-dsl-cpe-02-04-2025
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2024-40890