CVE-2024-40890

critical-risk

Published 2025-02-04

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

Do I need to act?

45.9% chance of exploitation in next 30 days

EPSS score — higher than 54% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (14)

Vmg1312-B10A Firmware

Vmg1312-B10B Firmware

Vmg1312-B10E Firmware

Vmg3312-B10A Firmware

Vmg3313-B10A Firmware

Vmg3926-B10B Firmware

Vmg4325-B10A Firmware

Vmg4380-B10A Firmware

Vmg8324-B10A Firmware

Vmg8924-B10A Firmware

Sbg3300-N000 Firmware

Sbg3300-Nb00 Firmware

Sbg3500-N000 Firmware

Sbg3500-Nb00 Firmware

Affected Vendors

Zyxel

References (2)

Vendor Advisory https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advis...

US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-...

/ 100

critical-risk

Severity 30/34 · Critical

Exploitability 24/34 · High

Exposure 18/34 · Moderate