CVE-2024-9200 — OS Command Injection in Zyxel Emg6726-b10a Firmware

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.5%

top 36.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Emg6726-b10a Firmware Zyxel Vmg3927-b50b Firmware Zyxel Vmg4005-b50a Firmware +3 more

Timeline

PublishedDec 3

Description

A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages7 packages

▶NVDzyxel/vmg4005-b50a_firmware< 5.15\(abqa.2.3\)c0

▶CVEListV5zyxel/vmg4005-b50a_firmwareV5.15(ABQA.2.2)C0

▶NVDzyxel/vmg4005-b50b_firmware< 5.13\(abrl.5.2\)c0

▶NVDzyxel/vmg4005-b60a_firmware< 5.15\(abqa.2.3\)c0

▶NVDzyxel/vmg4927-b50a_firmware< 5.13\(ably.9\)c1

🔴Vulnerability Details

GHSA

GHSA-3787-f2g5-hhvq: A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions throu↗2024-12-03

▶

CVEList

CVE-2024-9200: A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions throu↗2024-12-03

▶