CVE-2024-40890 Zyxel DSL CPE OS Command Injection

CVE-2024-40890 is a critical security vulnerability identified in certain legacy DSL Customer Premises Equipment (CPE) devices manufactured by Zyxel. This post-authentication command injection flaw resides within the devices’ Common Gateway Interface (CGI) program. An authenticated attacker can exploit this vulnerability by sending a crafted HTTP POST request, enabling the execution of operating system (OS) commands on the affected device. Notably, Wide Area Network (WAN) access is disabled by default on these devices, and successful exploitation requires that user-configured passwords have been compromised.

What is Vulnerable to CVE-2024-40890

The following Zyxel legacy DSL CPE models are confirmed to be affected by CVE-2024-40890:

• VMG1312-B10A
• VMG1312-B10B
• VMG1312-B10E
• VMG3312-B10A
• VMG3313-B10A
• VMG3926-B10B
• VMG4325-B10A
• VMG4380-B10A
• VMG8324-B10A
• VMG8924-B10A
• SBG3300
• SBG3500

These models have reached their end-of-life (EOL) status, meaning they no longer receive security updates or support from Zyxel.

Mitigation and Remediation for CVE-2024-40890

Given the EOL status of the affected devices, Zyxel strongly recommends replacing them with newer-generation products to ensure optimal protection. If immediate replacement isn’t feasible, users should implement the following measures:

• Disable Remote Access: Ensure that WAN access is disabled to prevent unauthorized external connections.
• Regularly Update Passwords: Change all user-configured passwords periodically and ensure they are strong and unique.
• Monitor Network Traffic: Keep an eye on unusual HTTP POST requests to the device’s management interfaces.

It’s important to note that these are temporary measures, and upgrading to supported hardware is the most effective long-term solution.

Impact of Successful Exploitation of CVE-2024-40890

If exploited, CVE-2024-40890 allows an attacker to execute arbitrary OS commands on the compromised device. This can lead to:

• Complete System Compromise: The attacker gains full control over the device.
• Data Exfiltration: Sensitive information can be accessed and extracted.
• Network Infiltration: The compromised device can serve as a gateway for further attacks within the network.

The severity of this vulnerability is underscored by its high CVSS score of 8.8, indicating a significant risk to affected systems.

Proof of Concept for CVE-2024-40890

As of now, there is no publicly available proof-of-concept (PoC) exploit for CVE-2024-40890. However, given the nature of the vulnerability, it’s plausible that threat actors could develop and utilize such exploits. Organizations using the affected Zyxel devices should proactively implement the recommended mitigations and prioritize upgrading to supported hardware to safeguard against potential exploitation.

For further details and updates, refer to Zyxel’s official security advisory.