Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-8748

CVE-2024-8748: Zyxel LTE3301-Plus Firmware DoS Vulnerability

CVE-2024-8748 is a buffer overflow denial-of-service vulnerability in Zyxel LTE3301-Plus firmware that allows attackers to disrupt the web management interface. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-8748 Overview

CVE-2024-8748 is a buffer overflow vulnerability [CWE-120] in the packet parser of the third-party library libclinkc used in Zyxel customer-premises equipment (CPE). The flaw affects a broad range of Zyxel 4G LTE, 5G NR, DSL, Ethernet CPE, fiber ONTs, and WiFi extenders, including the VMG8825-T50K through firmware version V5.50(ABOM.8.4)C0. An unauthenticated attacker can trigger the overflow by sending a crafted HTTP POST request to the web management interface, causing a temporary denial of service (DoS) condition. The vulnerability requires network access to the management interface but does not require authentication or user interaction.

Critical Impact

An unauthenticated remote attacker can crash the web management interface of affected Zyxel devices by sending a single crafted HTTP POST request, disrupting administration of the device.

Affected Products

  • Zyxel VMG8825-T50K firmware through V5.50(ABOM.8.4)C0
  • Zyxel 4G LTE / 5G NR CPE series (LTE3301-Plus, LTE5388-M804, LTE5398-M904, LTE7480-M804, LTE7490-M904, NR7101, NR7102, Nebula NR5101, Nebula NR7101, Nebula LTE3301-Plus)
  • Zyxel DSL, Ethernet CPE, fiber ONT, and WiFi extender series (DX, EX, EMG, VMG, AX, PM, PX, WX product lines)

Discovery Timeline

  • 2024-12-03 - Zyxel publishes security advisory for buffer overflow and post-authentication command injection vulnerabilities
  • 2024-12-03 - CVE-2024-8748 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-8748

Vulnerability Analysis

The vulnerability resides in the packet parsing logic of libclinkc, a third-party library integrated into Zyxel firmware to process management traffic. When the web management interface receives an HTTP POST request, the request body is passed to a parser routine within libclinkc that fails to enforce proper bounds checking on input length. A crafted payload causes the parser to write past the bounds of a fixed-size buffer, corrupting adjacent memory and crashing the responsible process. Because the web management daemon handles administrative HTTP traffic, the crash temporarily removes the device's management plane until the process is restarted.

Root Cause

The root cause is classic improper restriction of operations within the bounds of a memory buffer [CWE-120] inside the libclinkc HTTP packet parser. The parser dereferences attacker-controlled length values without validating them against the destination buffer size. The flaw is exploitable pre-authentication because the vulnerable parsing code runs before any session or credential check is enforced on the affected endpoint.

Attack Vector

The attack vector is network-based against the device's HTTP-based web management interface. An attacker sends a single specially crafted HTTP POST request containing oversized or malformed fields that the libclinkc parser does not validate. No credentials, no user interaction, and no prior foothold are required. The observed impact is limited to availability — confidentiality and integrity are not affected — and the device typically restarts the affected service automatically.

// Example exploitation code (sanitized)
No verified public proof-of-concept is available for CVE-2024-8748.
Refer to the Zyxel security advisory for vendor-confirmed technical details.

Detection Methods for CVE-2024-8748

Indicators of Compromise

  • Unexpected restarts or crash logs from the web management daemon on affected Zyxel CPE devices.
  • Loss of access to the device's HTTP/HTTPS administration interface following inbound POST traffic from untrusted sources.
  • HTTP POST requests to the device management interface containing unusually large body sizes or malformed header fields originating from external or unmanaged networks.

Detection Strategies

  • Inspect network traffic to Zyxel device management interfaces for HTTP POST requests with anomalous content lengths or non-standard parser-targeting payloads.
  • Correlate device watchdog or service-restart events with inbound HTTP traffic to identify potential exploitation attempts.
  • Use authenticated firmware version checks against the inventory of Zyxel CPE devices to identify assets running vulnerable builds at or below V5.50(ABOM.8.4)C0.

Monitoring Recommendations

  • Enable syslog forwarding from Zyxel devices to a central log platform and alert on repeated daemon crashes or restart events.
  • Monitor for sudden loss of HTTPS reachability to device management IPs from authorized administrative networks.
  • Track inbound connections to TCP 80/443 on CPE devices from sources outside expected management subnets.

How to Mitigate CVE-2024-8748

Immediate Actions Required

  • Apply the patched firmware released by Zyxel for each affected model as listed in the vendor advisory.
  • Restrict access to the device web management interface to trusted administrative networks only — block WAN-side access to HTTP and HTTPS management ports.
  • Inventory all Zyxel CPE, ONT, LTE/5G, and WiFi extender models in the environment and validate firmware versions against the vendor's fixed-version list.

Patch Information

Zyxel published fixed firmware for the affected product families in its advisory dated 2024-12-03. Refer to the Zyxel Security Advisory for Buffer Overflow and Post-Authentication Command Injection Vulnerabilities for the exact patched build for each model. Upgrade affected VMG8825-T50K devices to a firmware version newer than V5.50(ABOM.8.4)C0.

Workarounds

  • Disable remote (WAN) management on the device and permit administrative HTTP/HTTPS access only from internal management VLANs.
  • Place affected devices behind a firewall or ACL that filters HTTP POST requests to the management interface from untrusted sources.
  • Where supported, enable rate limiting on the management interface to reduce the impact of repeated crash attempts.
bash
# Configuration example
# Restrict device management access to an administrative subnet using upstream firewall rules
# (Replace 10.0.10.0/24 with your trusted management network and 198.51.100.10 with the device IP)
iptables -A FORWARD -s 10.0.10.0/24 -d 198.51.100.10 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A FORWARD -d 198.51.100.10 -p tcp -m multiport --dports 80,443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne