logo

Zyxel DSL CPE OS Command Injection Vulnerability

Project:Zyxel

Product:DSL CPE Devices

Date Added:2025-02-11Due Date::2025-03-04

Vulnerability Name

Zyxel DSL CPE OS Command Injection Vulnerability

Description

Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.

Additional Notes

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-and-insecure-default-credentials-vulnerabilities-in-certain-legacy-dsl-cpe-02-04-2025

https://www.zyxel.com/service-provider/global/en/security-advisories/zyxel-security-advisory-command-injection-insecure-in-certain-legacy-dsl-cpe-02-04-2025

https://nvd.nist.gov/vuln/detail/CVE-2024-40891

Free online web security scanner