CVE-2024-7203

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:atp100:-:::::::*
	cpe:2.3:h:zyxel:atp100w:-:::::::*
	cpe:2.3:h:zyxel:atp200:-:::::::*
	cpe:2.3:h:zyxel:atp500:-:::::::*
	cpe:2.3:h:zyxel:atp700:-:::::::*
	cpe:2.3:h:zyxel:atp800:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:usg_flex_100:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100w:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_200:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_500:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50w:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_700:-:::::::*

History

13 Dec 2024, 16:14

Type	Values Removed	Values Added
First Time		Zyxel zld
CPE	cpe:2.3:o:zyxel:zld_firmware::::::::	cpe:2.3:o:zyxel:zld::::::::

Information

Published : 2024-09-03 02:15

Updated : 2024-12-13 16:14

NVD link : CVE-2024-7203

Mitre link : CVE-2024-7203

CVE.ORG link : CVE-2024-7203

JSON object : View

Products Affected

zyxel

usg_flex_200
atp500
atp800
usg_flex_100w
usg_flex_50
usg_flex_500
usg_flex_50w
usg_flex_100
usg_flex_100ax
atp200
zld
atp100
usg_flex_700
atp700
atp100w

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-7203", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@zyxel.com.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-09-03T02:15:05.520", "references": [{"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024", "tags": ["Vendor Advisory"], "source": "security@zyxel.com.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@zyxel.com.tw", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos posterior a la autenticaci\u00f3n en las versiones de firmware de la serie Zyxel ATP de V4.60 a V5.38 y en las versiones de firmware de la serie USG FLEX de V4.60 a V5.38 podr\u00eda permitir que un atacante autenticado con privilegios de administrador ejecute algunos comandos del sistema operativo (OS) en un dispositivo afectado mediante la ejecuci\u00f3n de un comando CLI manipulado espec\u00edficamente."}], "lastModified": "2024-12-13T16:14:32.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD9D1DBC-2A80-48A7-BC9E-77205BC03446", "versionEndExcluding": "5.39", "versionStartIncluding": "4.60"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7F7654A1-3806-41C7-82D4-46B0CD7EE53B"}, {"criteria": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "47398FD0-6C5E-4625-9EFD-DE08C9AB7DB2"}, {"criteria": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D68A36FF-8CAF-401C-9F18-94F3A2405CF4"}, {"criteria": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2818E8AC-FFEE-4DF9-BF3F-C75166C0E851"}, {"criteria": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0B41F437-855B-4490-8011-DF59887BE6D5"}, {"criteria": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "66B99746-0589-46E6-9CBD-F38619AD97DC"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD9D1DBC-2A80-48A7-BC9E-77205BC03446", "versionEndExcluding": "5.39", "versionStartIncluding": "4.60"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2B30A4C0-9928-46AD-9210-C25656FB43FB"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03036815-04AE-4E39-8310-DA19A32CFA48"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D74ABA7E-AA78-4A13-A64E-C44021591B42"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F93B6A06-2951-46D2-A7E1-103D7318D612"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "646C1F07-B553-47B0-953B-DC7DE7FD0F8B"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "92C697A5-D1D3-4FF0-9C43-D27B18181958"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "110A1CA4-0170-4834-8281-0A3E14FC5584"}, {"criteria": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9D1396E3-731B-4D05-A3F8-F3ABB80D5C29"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@zyxel.com.tw"}