Zyxel DSL CPE Devices < 1.00 — RCE
Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.
A remote attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-03-04 under CISA BOD 22-01.
This is a OS Command Injection (CWE-78) vulnerability in Zyxel DSL CPE Devices. **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.
Probably yes if any of these apply:
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2025-02-11 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2025-03-04.
Manual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.