Zyxel devices ping certificate upload command execution |
NAME
Zyxel devices ping certificate upload command execution
- Platforms Affected:
Zyxel VMG3312 B10B
Zyxel VMG1312-B10D
Zyxel AMG1302-T11C
Zyxel VMG3925-B10C
Zyxel VMG8924-B10D
Zyxel VMG3312-T20A
Zyxel VMG3625-T20A
Zyxel VMG3925-B30C
Zyxel VMG3926-B10A
Zyxel VMG5313-B10B
Zyxel VMG5313-B30B
Zyxel VMG8623-T50A
Zyxel VMG8823-B10B
Zyxel VMG8823-B30B
Zyxel VMG8823-B50B
Zyxel VMG8823-B60B
Zyxel VMG8924-B30D
Zyxel DX3301-T0
Zyxel DX5410-B0
Zyxel EMG3525-T50B
Zyxel EMG5523-T50B
Zyxel EMG5723-T50K
Zyxel EX3310-T0
Zyxel EX5401-B0
Zyxel EX5501-B0
Zyxel LTE3301-PLUS
Zyxel LTE7240-M403
Zyxel VMG1312-T20B
Zyxel VMG3625-T50B
Zyxel VMG3927-B50A
Zyxel VMG3927-B60A
Zyxel VMG3927-T50K
Zyxel VMG4005-B50A
Zyxel VMG8623-T50B
Zyxel VMG8825-B50A
Zyxel VMG8825-B60A
Zyxel VMG8825-B50B
Zyxel VMG8825-T50K
Zyxel XMG3927-B50A
Zyxel XMG8825-B50A
Zyxel VPN2S
Zyxel AX7501-B0
Zyxel EP240P
Zyxel PMG5317-T20B
Zyxel PMG5617GA
Zyxel PMG5622GA
Zyxel WX3100-T0
Zyxel WX3401-B0
Zyxel WSQ50 (Multy X)
Zyxel WSQ60 (Multy Plus) - Risk Level:
8.8 - Exploitability:
Proof of Concept - Consequences:
Gain Access
DESCRIPTION
Zyxel devices could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a flaw in the ping diagnostic tool and the certificate upload. An attacker could exploit this vulnerability to fully compromise the system and execute arbitrary commands on the system with root privileges.
CVSS 3.0 Information
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Apply the appropriate update for your system. See References.
- Reference Link:
https://packetstormsecurity.com/files/166033 - Reference Link:
https://seclists.org/fulldisclosure/2022/Feb/37
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
