Zyxel security advisory for post-authentication command injection vulnerabilities in certain DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices
CVEs: CVE-2024-11253, CVE-2024-12009, CVE-2024-12010
Summary
Zyxel has released patches for certain DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender firmware versions affected by post-authentication command injection vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2024-11253
The post-authentication command injection vulnerability in the "DNSServer" parameter of the diagnostic function in certain DSL/Ethernet CPE firmware versions could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
CVE-2024-12009
The post-authentication command injection vulnerability in the "ZyEE" function of certain DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
CVE-2024-12010
The post-authentication command injection vulnerability in the ”zyUtilMailSend” function of certain DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender firmware versions could allow an authenticated attacker with administrator privileges to execute OS commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable products within their vulnerability support period and have released firmware patches to address these vulnerabilities, as shown in the tables below. Please note that the tables do not include customized models specifically designed for ISP customers. Any on-market product not listed in the table is not affected.
• Models affected by CVE-2024-11253
| Product | Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | EMG5723-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 |
| DM4200-B0 | V5.17(ACBS.1)C0 and earlier | V5.17(ACBS.1.1)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG4005-B50A | V5.15(ABQA.2.3)C0 and earlier | V5.15(ABQA.2.4)C0 | |
| VMG4005-B60A | V5.15(ABQA.2.3)C0 and earlier | V5.15(ABQA.2.4)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 |
• Models affected by CVE-2024-12009
| Product | Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 |
| DX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX4510-B0 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX4510-B1 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| DX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EE6510-10 | V5.19(ACJQ.1)C1 and earlier | V5.19(ACJQ.2)C0 | |
| EX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3500-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3501-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3510-B0 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3510-B1 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3600-T0 | V5.70(ACIF.0.5)C0 and earlier | V5.70(ACIF.1)C0 | |
| EX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5501-B0 | V5.17(ABRY.5.3)C0 and earlier | V5.17(ABRY.5.4)C0 | |
| EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)b2 | |
| EX5512-T0 | V5.70(ACEG4.2)C0 and earlier | V5.70(ACEG4.3)C0 | |
| EX5601-T0 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX7501-B0 | V5.18(ACHN.1.3)C0 and earlier | V5.18(ACHN.2)C0 | |
| EX7710-B0 | V5.18(ACAK.1.1)C1 and earlier | V5.18(ACAK.1.2)C0 | |
| EMG3525-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5523-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG3625-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG8623-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 |
| AX7501-B1 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 | |
| PX3321-T1 | V5.44(ACJB.1.1)C0 and earlier | V5.44(ACJB.1.2)C0 | |
| PX5301-T0 | V5.44(ACKB.0.1)C0 and earlier | V5.44(ACKB.0.2)C0 | |
| Wi-Fi extender | WX5600-T0 | V5.70(ACEB.3.3)C0 and earlier | V5.70(ACEB.4)C0 |
| WX5610-B0 | V5.18(ACGJ.0.1)C0 and earlier | V5.18(ACGJ.0.2)C0 |
• Models affected by CVE-2024-12010
| Product | Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 |
| DX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| DX4510-B0 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX4510-B1 | V5.17(ABYL.8)C0 and earlier | V5.17(ABYL.9)b1 | |
| DX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| DX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EE6510-10 | V5.19(ACJQ.1)C1 and earlier | V5.19(ACJQ.2)C0 | |
| EX3300-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3300-T1 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3301-T0 | V5.50(ABVY.5.4)C0 and earlier | V5.50(ABVY.5.6)C0 | |
| EX3500-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3501-T0 | V5.44(ACHR.3)C0 and earlier | V5.44 (ACHR.3.1)C0 | |
| EX3510-B0 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3510-B1 | V5.17(ABUP.13)C0 and earlier | V5.17(ABUP.14)b1 | |
| EX3600-T0 | V5.70(ACIF.0.5)C0 and earlier | V5.70(ACIF.1)C0 | |
| EX5401-B0 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5401-B1 | V5.17(ABYO.6.4)C0 and earlier | V5.17(ABYO.6.5)C0 | |
| EX5501-B0 | V5.17(ABRY.5.3)C0 and earlier | V5.17(ABRY.5.4)C0 | |
| EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)b2 | |
| EX5512-T0 | V5.70(ACEG4.2)C0 and earlier | V5.70(ACEG4.3)C0 | |
| EX5601-T0 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.3.6)C0 and earlier | V5.70(ACDZ.4)C0 | |
| EX7501-B0 | V5.18(ACHN.1.3)C0 and earlier | V5.18(ACHN.2)C0 | |
| EX7710-B0 | V5.18(ACAK.1.1)C1 and earlier | V5.18(ACAK.1.2)C0 | |
| EMG3525-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5523-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG3625-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| VMG8623-T50B | V5.50(ABPM.9.3)C0 and earlier | V5.50(ABPM.9.4)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.5)C0 and earlier | V5.50(ABOM.8.6)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 |
| AX7501-B1 | V5.17(ABPC.5.3)C0 and earlier | V5.17(ABPC.6)C0 | |
| PX3321-T1 | V5.44(ACJB.1.1)C0 and earlier | V5.44(ACJB.1.2)C0 | |
| V5.44(ACHK.0.3)C0 and earlier | V5.44(ACHK.1)C0 | ||
| PX5301-T0 | V5.44(ACKB.0.1)C0 and earlier | V5.44(ACKB.0.2)C0 | |
| Wi-Fi extender | WX3100-T0 | V5.50(ABVL.4.5)C0 and earlier | V5.50(ABVL.4.6)C0 |
| WX3401-B0 | V5.17(ABVE.2.6)C0 and earlier | V5.17(ABVE.2.7)C0 | |
| WX3401-B1 | V5.17(ABVE.2.6)C0 and earlier | V5.17(ABVE.2.7)C0 | |
| WX5600-T0 | V5.70(ACEB.3.3)C0 and earlier | V5.70(ACEB.4)C0 | |
| WX5610-B0 | V5.18(ACGJ.0.1)C0 and earlier | V5.18(ACGJ.0.2)C0 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Got a question?
For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.
Acknowledgment
Thanks to the following security researchers and consultancies:
- Erik de Jong for CVE-2024-11253
- Dawid Kulikowski for CVE-2024-12009
- Martin Wrona (from Digitec Galaxus AG) and ONEKEY for CVE-2024-12010
Revision history
2025-3-11: Initial release