Zyxel security advisory for post-authentication command injection vulnerabilities in certain DSL/Ethernet CPE, fiber ONT, and WiFi extender devices
CVEs: CVE-2024-11253, CVE-2024-12009, CVE-2024-12010
Summary
Zyxel has released patches for certain DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions affected by post-authentication command injection vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2024-11253
The post-authentication command injection vulnerability in the "DNSServer" parameter of the diagnostic function in certain DSL/Ethernet CPE firmware versions could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
CVE-2024-12009
The post-authentication command injection vulnerability in the "ZyEE" function of certain DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
CVE-2024-12010
The post-authentication command injection vulnerability in the ”zyUtilMailSend” function of certain DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products within their vulnerability support period and have released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
Table 1. Models affected by CVE-2024-11253
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | EMG5723-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 |
| DM4200-B0 | V5.17(ACBS.1)C0 and earlier | V5.17(ACBS.1.1)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG4005-B50A | V5.15(ABQA.2.3)C0 and earlier | V5.15(ABQA.2.4)C0 | |
| VMG4005-B60A | V5.15(ABQA.2.3)C0 and earlier | V5.15(ABQA.2.4)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 2. Models affected by CVE-2024-12009
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 |
| DX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX4510-B0 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX4510-B1 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| DX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EE6510-10 | V5.19(ACJQ.1)C1 and earlier | V5.19(ACJQ.2)C0 | |
| EX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3500-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3501-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3510-B0 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3510-B1 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3600-T0 | V5.70(ACIF.0.5)C0 and earlier | V5.70(ACIF.1)C0 | |
| EX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5501-B0 | V5.17(ABRY.5.3)C0 and earlier | V5.17(ABRY.5.4)C0 | |
| EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)b2 | |
| EX5512-T0 | V5.70(ACEG4.2)C0 and earlier | V5.70(ACEG4.3)C0 | |
| EX5601-T0 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX7501-B0 | V5.18(ACHN.1.3)C0 and earlier | V5.18(ACHN.2)C0 | |
| EX7710-B0 | V5.18(ACAK.1.1)C1 and earlier | V5.18(ACAK.1.2)C0 | |
| EMG3525-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5523-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG3625-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG8623-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 |
| AX7501-B1 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 | |
| PX3321-T1 | V5.44(ACJB.1.1)C0 and earlier | V5.44(ACJB.1.2)C0 | |
| PX5301-T0 | V5.44(ACKB.0.1)C0 and earlier | V5.44(ACKB.0.2)C0 | |
| Wi-Fi extender | WX5600-T0 | V5.70(ACEB.3.3)C0 and earlier | V5.70(ACEB.4)C0 |
| WX5610-B0 | V5.18(ACGJ.0.1)C0 and earlier | V5.18(ACGJ.0.2)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Table 3. Models affected by CVE-2024-12010
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 |
| DX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX4510-B0 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX4510-B1 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| DX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EE6510-10 | V5.19(ACJQ.1)C1 and earlier | V5.19(ACJQ.2)C0 | |
| EX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3500-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3501-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3510-B0 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3510-B1 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3600-T0 | V5.70(ACIF.0.5)C0 and earlier | V5.70(ACIF.1)C0 | |
| EX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5501-B0 | V5.17(ABRY.5.3)C0 and earlier | V5.17(ABRY.5.4)C0 | |
| EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)b2 | |
| EX5512-T0 | V5.70(ACEG4.2)C0 and earlier | V5.70(ACEG4.3)C0 | |
| EX5601-T0 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX7501-B0 | V5.18(ACHN.1.3)C0 and earlier | V5.18(ACHN.2)C0 | |
| EX7710-B0 | V5.18(ACAK.1.1)C1 and earlier | V5.18(ACAK.1.2)C0 | |
| EMG3525-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5523-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG3625-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG8623-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 |
| AX7501-B1 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 | |
| PX3321-T1 | V5.44(ACJB.1.1)C0 and earlier V5.44(ACHK.0.3)C0 and earlier |
V5.44(ACJB.1.2)C0 V5.44(ACHK.1)C0 |
|
| PX5301-T0 | V5.44(ACKB.0.1)C0 and earlier | V5.44(ACKB.0.2)C0 | |
| Wi-Fi extender | WX3100-T0 | V5.50(ABVL.4.5)C0 and earlier | V5.50(ABVL.4.6)C0 |
| WX3401-B0 | V5.17(ABVE.2.6)C0 and earlier | V5.17(ABVE.2.7)C0 | |
| WX3401-B1 | V5.17(ABVE.2.6)C0 and earlier | V5.17(ABVE.2.7)C0 | |
| WX5600-T0 | V5.70(ACEB.3.3)C0 and earlier | V5.70(ACEB.4)C0 | |
| WX5610-B0 | V5.18(ACGJ.0.1)C0 and earlier | V5.18(ACGJ.0.2)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
For ISPs, please contact your Zyxel sales or service representatives for further details.
For end-users who acquired their Zyxel device from an ISP, we recommend reaching out directly to the ISP’s support team, as the device may have custom-built settings.
For end-users who purchased their Zyxel device themselves, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel’s Community for further assistance.
Got a question?
Please contact your local service representatives or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers and consultancies:
- Erik de Jong for CVE-2024-11253
- Dawid Kulikowski for CVE-2024-12009
- Martin Wrona (from Digitec Galaxus AG) and ONEKEY for CVE-2024-12010
Revision history
2025-3-11: Initial release