#VU49097 Input validation error in ZyXEL Communications Corp. products
Published: December 19, 2020
Vulnerability identifier: #VU49097
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
EMG3525-T50B
EMG5523-T50B
EMG5723-T50K
EMG6726-B10A
EX3510-B0
EX5510-B0
VMG3625-T50B
VMG3925-B10B/B10C
VMG3927-B50A_B60A
VMG3927-B50B
VMG3927-T50K
VMG4005-B50B
VMG4927-B50A
VMG8623-T50B
VMG8825-B50A_B60A
VMG8825-Bx0B
VMG8825-T50K
VMG8924-B10D
XMG3927-B50A
XMG8825-B50A
VMG1312-T20B
EMG3525-T50B
EMG5523-T50B
EMG5723-T50K
EMG6726-B10A
EX3510-B0
EX5510-B0
VMG3625-T50B
VMG3925-B10B/B10C
VMG3927-B50A_B60A
VMG3927-B50B
VMG3927-T50K
VMG4005-B50B
VMG4927-B50A
VMG8623-T50B
VMG8825-B50A_B60A
VMG8825-Bx0B
VMG8825-T50K
VMG8924-B10D
XMG3927-B50A
XMG8825-B50A
VMG1312-T20B
Software vendor:
ZyXEL Communications Corp.
ZyXEL Communications Corp.
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP requests in zhttpd webserver. A remote attacker can send specially crafted HTTP request to the affected device and execute arbitrary code on the system.
Successful exploitation of the vulnerability will result in a complete compromise of the router.
Remediation
Install updates from vendor's website.
Note, some of the firmware updates are scheduled to be released during 2021.