CVE-2022-45440Link Following in Zyxel Ax7501-b0 Firmware

CWE-59Link FollowingCWE-552Files or Directories Accessible to External Parties4 documents4 sources
Severity
4.4MEDIUMNVD
EPSS
0.1%
top 70.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zyxel Ax7501-b0 Firmware
Timeline
PublishedJan 17

Description

A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5zyxel/ax7501-b0_firmware< V5.17(ABPC.3)C0
NVDzyxel/ax7501-b0_firmware< 5.17\(abpc.3\)c0

🔴Vulnerability Details

3
GHSA
GHSA-rpwq-xw4m-459x: A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V52023-01-17
CVEList
CVE-2022-45440: A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V52023-01-17
VulnCheck
Zyxel ax7501-b0_firmware Improper Link Resolution Before File Access ('Link Following')2022
CVE-2022-45440 — Link Following in Zyxel | cvebase