CVE-2024-42059

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V5.00 through V5.38, USG FLEX series firmware versions from V5.00 through V5.38, USG FLEX 50(W) series firmware versions from V5.00 through V5.38, and USG20(W)-VPN series firmware versions from V5.00 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:atp100:-:::::::*
	cpe:2.3:h:zyxel:atp100w:-:::::::*
	cpe:2.3:h:zyxel:atp200:-:::::::*
	cpe:2.3:h:zyxel:atp500:-:::::::*
	cpe:2.3:h:zyxel:atp700:-:::::::*
	cpe:2.3:h:zyxel:atp800:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:usg_flex_100:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100w:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_200:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_500:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50w:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_700:-:::::::*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*

History

13 Dec 2024, 16:14

Type	Values Removed	Values Added
CPE	cpe:2.3:o:zyxel:zld_firmware::::::::	cpe:2.3:o:zyxel:zld::::::::
First Time		Zyxel zld

Information

Published : 2024-09-03 02:15

Updated : 2024-12-13 16:14

NVD link : CVE-2024-42059

Mitre link : CVE-2024-42059

CVE.ORG link : CVE-2024-42059

JSON object : View

Products Affected

zyxel

usg_flex_200
atp500
atp800
usg_flex_100w
usg_flex_50
usg_flex_500
usg_20w-vpn
usg_flex_50w
usg_flex_100
usg_flex_100ax
atp200
zld
atp100
usg_flex_700
atp700
atp100w

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.2 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

JSON object

Attach tags to CVE-2024-42059

7.2^/10

Attach tags to `CVE-2024-42059`