CVE-2024-7203

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-7203
A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
OR cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*
OR cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*
History

13 Dec 2024, 16:14

Type Values Removed Values Added
First Time Zyxel zld
CPE cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

05 Sep 2024, 14:33

Type Values Removed Values Added
CPE cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*
cpe:2.3:o:zyxel:zld_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100ax:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*
First Time Zyxel usg Flex 50
Zyxel atp800
Zyxel atp500
Zyxel atp700
Zyxel usg Flex 200
Zyxel usg Flex 500
Zyxel usg Flex 100ax
Zyxel usg Flex 50w
Zyxel usg Flex 100
Zyxel usg Flex 700
Zyxel usg Flex 100w
Zyxel atp100w
Zyxel
Zyxel atp100
Zyxel atp200
Zyxel zld Firmware
References () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 - () https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 - Vendor Advisory

03 Sep 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad de inyección de comandos posterior a la autenticación en las versiones de firmware de la serie Zyxel ATP de V4.60 a V5.38 y en las versiones de firmware de la serie USG FLEX de V4.60 a V5.38 podría permitir que un atacante autenticado con privilegios de administrador ejecute algunos comandos del sistema operativo (OS) en un dispositivo afectado mediante la ejecución de un comando CLI manipulado específicamente.

03 Sep 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-03 02:15

Updated : 2024-12-13 16:14

NVD link : CVE-2024-7203

Mitre link : CVE-2024-7203

CVE.ORG link : CVE-2024-7203

JSON object : View

Products Affected

zyxel

  • atp100w
  • usg_flex_100ax
  • atp200
  • usg_flex_500
  • usg_flex_100w
  • usg_flex_200
  • atp100
  • usg_flex_50
  • usg_flex_50w
  • atp500
  • atp800
  • usg_flex_700
  • usg_flex_100
  • atp700
  • zld
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')