CVE-2024-7203 — OS Command Injection in Zyxel ZLD

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.9%

top 24.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel ZLD Zyxel ATP Series Firmware Zyxel USG Flex Series Firmware

Timeline

PublishedSep 3

Latest updateApr 9

Description

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5zyxel/usg_flex_series_firmwareversions V4.60 through V5.38

▶CVEListV5zyxel/atp_series_firmwareversions V4.60 through V5.38

▶NVDzyxel/zld4.60 — 5.39

🔴Vulnerability Details

GHSA

GHSA-pvch-9x5f-vxhr: A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4↗2024-09-03

▶

CVEList

CVE-2024-7203: A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4↗2024-09-03

▶

💥Exploits & PoCs

Exploit-DB

Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege↗2025-04-09

▶