CVE-2024-42060
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Published: Sep 3, 2024 / Updated: 2mo ago

010

CVSS 7.2EPSS 0.05%High

CVE info copied to clipboard

Summary

A post-authentication command injection vulnerability in Zyxel ATP series, USG FLEX series, USG FLEX 50(W) series, and USG20(W)-VPN series firmware could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device. This is achieved by uploading a crafted internal user agreement file to the vulnerable device.

Impact

This vulnerability allows an attacker with administrator privileges to execute arbitrary OS commands on the affected Zyxel devices. This could lead to complete compromise of the device, potentially allowing the attacker to modify system configurations, access sensitive information, or use the device as a pivot point for further network attacks. The impact is severe, as it affects the confidentiality, integrity, and availability of the device, all rated as "HIGH" in the CVSS score.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Zyxel has released security updates to address this vulnerability. The patch information was added on September 5, 2024, and can be found on the Zyxel website (www.zyxel.com) in their security advisory for multiple vulnerabilities in firewalls.

Mitigation

1. Update the firmware immediately to versions newer than those listed as vulnerable. 2. Implement strong access controls to limit administrator access to only necessary personnel. 3. Monitor and audit administrator activities, especially file uploads. 4. If immediate patching is not possible, consider temporarily disabling the ability to upload internal user agreement files if this feature is not critical to operations. 5. Implement network segmentation to limit the potential impact if a device is compromised. 6. Regularly review and update administrator credentials.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-42060

Sep 3, 2024 at 2:15 AM

First Article

Feedly found the first article mentioning CVE-2024-42060. See article

Sep 3, 2024 at 2:16 AM / Zyxel

Threat Intelligence Report

CVE-2024-42060 is a critical post-authentication command injection vulnerability in Zyxel firewalls that allows an authenticated attacker to execute OS commands. It is not known if this vulnerability is being exploited in the wild, but patches have been released by Zyxel to address the issue. It is important for organizations using affected firewall versions to apply the patches immediately to prevent potential exploitation and downstream impacts on their network security. See article

Sep 3, 2024 at 2:16 AM

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 3, 2024 at 2:21 AM

EPSS

EPSS Score was set to: 0.05% (Percentile: 21.1%)

Sep 3, 2024 at 9:38 AM

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (206735)

Sep 6, 2024 at 9:18 PM