CVE ID
CVE-2024-40891
Vulnerability Name
Zyxel DSL CPE OS Command Injection Vulnerability
- Project: Zyxel
- Product: DSL CPE Devices
Date
- Date Added: 2025-02-11
- Due Date: 2025-03-04
Description
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Additional Notes
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025 ; https://www.zyxel.com/service-provider/global/en/security-advisories/zyxel-security-advisory-command-injection-insecure-in-certain-legacy-dsl-cpe-02-04-2025 ; https://nvd.nist.gov/vuln/detail/CVE-2024-40891
Top comments (0)