CVE-2024-42057

CWE-78OS Command Injection4 documents4 sources
Severity
8.1HIGH
EPSS
2.9%
top 13.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Zyxel ZLDZyxel ATP Series FirmwareZyxel Usg20(w)-vpn Series Firmware+2 more
Timeline
PublishedSep 3

Description

A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be success

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages5 packages

CVEListV5zyxel/usg_flex_series_firmwareversions V4.50 through V5.38
CVEListV5zyxel/usg_flex_50(w)_series_firmwareversions V4.16 through V5.38
CVEListV5zyxel/usg20(w)-vpn_series_firmwareversions V4.16 through V5.38
CVEListV5zyxel/atp_series_firmwareversions V4.32 through V5.38
NVDzyxel/zld4.325.39+2

🔴Vulnerability Details

3
GHSA
GHSA-vf97-4vg7-22rv: A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V42024-09-03
CVEList
CVE-2024-42057: A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V42024-09-03
VulnCheck
Zyxel zld Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')2024
CVE-2024-42057 (HIGH CVSS 8.1) | A command injection vulnerability i | cvebase.io