PT-2025-2603 · Zyxel · Zyxel Vmg4325-B10A

🗓️ 27 Jan 2025 00:00:00Reported by Positive TechnologiesType

Post-auth CGI command injection in Zyxel VMG4325-B10A lets authenticated users run OS commands with supervisor privileges.

Reporter	Title	Published	Views	Family All 25
ATTACKERKB	CVE-2024-40891	4 Feb 202500:00	–	attackerkb
ATTACKERKB	CVE-2024-40890	4 Feb 202500:00	–	attackerkb
Circl	CVE-2024-40890	29 Jan 202511:50	–	circl
Circl	CVE-2024-40891	28 Jan 202521:13	–	circl
CISA KEV Catalog	Zyxel DSL CPE OS Command Injection Vulnerability	11 Feb 202500:00	–	cisa_kev
CISA KEV Catalog	Zyxel DSL CPE OS Command Injection Vulnerability	11 Feb 202500:00	–	cisa_kev
CISA	CISA Adds Four Known Exploited Vulnerabilities to Catalog	11 Feb 202512:00	–	cisa
CNNVD	Zyxel VMG4325-B10A 操作系统命令注入漏洞	4 Feb 202500:00	–	cnnvd
CNNVD	Zyxel VMG4325-B10A 操作系统命令注入漏洞	4 Feb 202500:00	–	cnnvd
CVE	CVE-2024-40890	4 Feb 202509:55	–	cve

Source	Link
zyxel	www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-40890
zyxel	www.zyxel.com/service-provider/global/en/security-advisories/zyxel-security-advisory-command-injection-insecure-in-certain-legacy-dsl-cpe-02-04-2025
bdu	www.bdu.fstec.ru/vul/2025-01350
twitter	www.twitter.com/catnap707/status/1884729552850870673
t	www.t.me/cvenotify/110978
securitylab	www.securitylab.ru/news/555934.php
twitter	www.twitter.com/TMJIntel/status/1889407307638858212
twitter	www.twitter.com/fletch_ai/status/1884466659098009882
securityweek	www.securityweek.com/new-zyxel-zero-day-under-attack-no-patch-available

19 Feb 2025 00:00Current

9.8High risk

Vulners AI Score9.8

CVSS 210

CVSS 3.18.8

EPSS0.53243