CVE-2024-7203

high

Description

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

References

https://latesthackingnews.com/2024/09/06/zyxel-patched-numerous-security-flaws-across-different-products/

https://thehackernews.com/2024/09/zyxel-patches-critical-os-command.html

https://www.helpnetsecurity.com/2024/09/03/cve-2024-7261/

https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-os-command-injection-flaw-in-routers/

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

Details

Source: Mitre, NVD

Published: 2024-09-03

Updated: 2024-09-05

Risk Information

CVSS v2

Base Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Severity: High