CVE-2019-15800

high-risk

Published 2019-11-14

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Due to lack of input validation in the cmd_sys_traceroute_exec(), cmd_sys_arp_clear(), and cmd_sys_ping_exec() functions in the libclicmd.so library contained in the firmware, an attacker could leverage these functions to call system() and execute arbitrary commands on the switches. (Note that these functions are currently not called in this version of the firmware, however an attacker could use other vulnerabilities to finally use these vulnerabilities to gain code execution.)

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (9)

Gs1900-8 Firmware

Gs1900-8Hp Firmware

Gs1900-10Hp Firmware

Gs1900-16 Firmware

Gs1900-24E Firmware

Gs1900-24 Firmware

Gs1900-24Hp Firmware

Gs1900-48 Firmware

Gs1900-48Hp Firmware

Affected Vendors

Zyxel

References (4)

Exploit https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

Vendor Advisory https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml

Exploit https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html

Vendor Advisory https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 6/34 · Minimal

Exposure 15/34 · Moderate