CVE-2024-8881

MEDIUM EPSS 47.8%
Published Nov 12, 20241y ago · Modified Jun 17, 20261w ago
6.8 CVSS 3.1
Medium
Find Similar
Published Nov 12, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system (OS) commands on an affected device by sending a crafted HTTP request.

CVSS Details

Base Score
6.8
Exploitability
0.9
Impact
5.9
Vector string
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector Adjacent
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
47.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 20

VendorProductVersionRange
zyxelgs1900-8_firmware* <2.90\(aahh.0\)c0
zyxelgs1900-8*any
zyxelgs1900-8hp_firmware* <2.90\(aahi.0\)c0
zyxelgs1900-8hp*any
zyxelgs1900-10hp_firmware* <2.90\(aazi.0\)c0
zyxelgs1900-10hp*any
zyxelgs1900-16_firmware* <2.90\(aahj.0\)c0
zyxelgs1900-16*any
zyxelgs1900-24_firmware* <2.90\(aahl.0\)c0
zyxelgs1900-24*any
zyxelgs1900-24e_firmware* <2.90\(aahk.0\)c0
zyxelgs1900-24e*any
zyxelgs1900-24ep_firmware* <2.90\(abto.0\)c0
zyxelgs1900-24ep*any
zyxelgs1900-24hpv2_firmware* <2.90\(abtp.0\)c0
zyxelgs1900-24hpv2*any
zyxelgs1900-48_firmware* <2.90\(aahn.0\)c0
zyxelgs1900-48*any
zyxelgs1900-48hpv2_firmware* <2.90\(abtq.0\)c0
zyxelgs1900-48hpv2*any

References 1

  • zyxel.com https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-and-buffer-overflow-vulnerabilities-in-gs1900-series-switches-11-12-2024
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.