#VU62547 OS Command Injection in ZyXEL Communications Corp. products - CVE-2022-26413
Published: April 25, 2022
Vulnerability identifier: #VU62547
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-26413
CWE-ID: CWE-78
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
EMG5723-T50K
VMG1312-T20B
VMG3625-T50B
VMG3927-B50A
VMG3927-B60A
VMG3927-T50K
VMG8623-T50B
VMG8825-B50A
VMG8825-B50B
VMG8825-T50K
VMG8825-B60A
VMG8825-B60B
XMG3927-B50A
XMG8825-B50A
DX5401-B0
EX3510-B0
EX5401-B0
EP240P
PM7300-T0
PMG5617-T20B2
PX7501-B0
EX5501-B0
AX7501-B0
PMG5317-T20B
PMG5617GA
PMG5622GA
EMG5723-T50K
VMG1312-T20B
VMG3625-T50B
VMG3927-B50A
VMG3927-B60A
VMG3927-T50K
VMG8623-T50B
VMG8825-B50A
VMG8825-B50B
VMG8825-T50K
VMG8825-B60A
VMG8825-B60B
XMG3927-B50A
XMG8825-B50A
DX5401-B0
EX3510-B0
EX5401-B0
EP240P
PM7300-T0
PMG5617-T20B2
PX7501-B0
EX5501-B0
AX7501-B0
PMG5317-T20B
PMG5617GA
PMG5622GA
Software vendor:
ZyXEL Communications Corp.
ZyXEL Communications Corp.
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the CGI program. A remote user on the local network can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.