Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and Wi-Fi extenders
CVEs: CVE-2024-8748, CVE-2024-9197, CVE-2024-9200
Summary
Zyxel has released patches for some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender firmware versions affected by buffer overflow and post-authentication command injection vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2024-8748
A buffer overflow vulnerability in the packet parser of the third-party library “libclinkc” in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender firmware versions could allow an attacker to cause denial of service (DoS) conditions against the web management interface by sending a crafted HTTP POST request to a vulnerable device. Note that WAN access is disabled by default on the devices, and the device still functions as expected in processing network traffic, even if the attack is successful.
CVE-2024-9197
A post-authentication buffer overflow vulnerability in the parameter “action” of the CGI program in some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender firmware versions could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface by sending a crafted HTTP GET request to a vulnerable device if the function ZyEE is enabled. Note that the function ZyEE and WAN access are disabled by default on the devices, and the device still functions as expected in processing network traffic, even if the attack is successful.
CVE-2024-9200
A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in some DSL/Ethernet CPE firmware versions could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if the strong, unique administrator passwords have been compromised.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products within their vulnerability support period and released firmware patches to address the vulnerabilities, as shown in the tables below. The table does NOT include customized models specifically designed for ISP customers. Any on-market product not listed in the table is NOT affected.
• Models affected by CVE-2024-8748
Product | Affected model | Affected version | Patch availability* |
4G LTE/5G NR CPE | LTE3301-PLUS | V1.00(ABQU.5)C0 and earlier | V1.00(ABQU.6)C0 |
LTE5388-M804 | V1.00(ABSQ.4)C0 and earlier | V1.00(ABSQ.5)C0 | |
LTE5398-M904 | V1.00(ABQV.4)C0 and earlier | V1.00(ABQV.5)C0 | |
LTE7480-M804 | V1.00(ABRA.9)C0 and earlier | V1.00(ABRA.10)C0 | |
LTE7490-M904 | V1.00(ABQY.8)C0 and earlier | V1.00(ABQY.9)C0 | |
NR7101 | V1.00(ABUV.10)C0 and earlier | V1.00(ABUV.11)C0 | |
NR7102 | V1.00(ABYD.3)C0 and earlier | V1.00(ABYD.4)C0 | |
DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 |
DX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX4510-B0 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX4510-B1 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
DX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EE6510-10 | V5.19(ACJQ.0)C0 and earlier | V5.19(ACJQ.1)C0 | |
EX2210-T0 | V5.50(ACDI.1)C0 and earlier | V5.50(ACDI.2)C0 | |
EX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3500-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3501-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3510-B0 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX3510-B1 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX3600-T0 | V5.70(ACIF.0.3)C0 and earlier | V5.70(ACIF.0.4)C0 | |
EX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5501-B0 | V5.17(ABRY.5.2)C0 and earlier | V5.17(ABRY.5.3)C0 | |
EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)C0 | |
EX5512-T0 | V5.70(ACEG4.1)C0 and earlier | V5.70(ACEG4.2)C0 | |
EX5600-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T0 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX7501-B0 | V5.18(ACHN.1.2)C0 and earlier | V5.18(ACHN.1.3)C0 | |
EX7710-B0 | V5.18(ACAK.1)C1 and earlier | V5.18(ACAK.1.1)C0 | |
EMG3525-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5523-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5723-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
EMG6726-B10A | V5.13(ABNP.8)C0 and earlier | V5.13(ABNP.8)C1 | |
VMG3625-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG3927-B50B | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 | |
VMG3927-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
VMG4005-B50A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B60A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B50B | V5.13(ABRL.5.1)C0 and earlier | V5.13(ABRL.5.2)C0 | |
VMG4927-B50A | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 | |
VMG8623-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG8825-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
V5.50(ABPY.1)b25 and earlier | V5.50(ABPY.1)b26 | ||
Fiber ONT | AX7501-B0 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 |
AX7501-B1 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 | |
PM3100-T0 | V5.42(ACBF.2.1)C0 and earlier | V5.42(ACBF.3)C0 | |
PM5100-T0 | V5.42(ACBF.2.1)C0 and earlier | V5.42(ACBF.3)C0 | |
PM7300-T0 | V5.42(ABYY.2.2)C0 and earlier | V5.42(ABYY.2.3)C0 | |
PM7500-T0 | V5.61(ACKK.0)C0 and earlier | V5.61(ACKK.0.1)C0 | |
PX3321-T1 | V5.44(ACJB.1)C0 and earlier | V5.44(ACJB.1.1)C0 | |
V5.44(ACHK.0.2)C0 and earlier | V5.44(ACHK.0.3)C0 | ||
PX5301-T0 | V5.44(ACKB.0)C0 and earlier | V5.44(ACKB.0.1)C0 | |
Wi-Fi extender | WX3100-T0 | V5.50(ABVL.4.3)C0 and earlier | V5.50(ABVL.4.4)C0 |
WX3401-B0 | V5.17(ABVE.2.5)C0 and earlier | V5.17(ABVE.2.6)C0 | |
WX3401-B1 | V5.17(ABVE.2.5)C0 and earlier | V5.17(ABVE.2.6)C0 | |
WX5600-T0 | V5.70(ACEB.3.2)C0 and earlier | V5.70(ACEB.3.3)C0 | |
WX5610-B0 | V5.18(ACGJ.0)C2 and earlier | V5.18(ACGJ0.1)C0 |
• Models affected by CVE-2024-9197
Product | Affected model | Affected version | Patch availability* |
DSL/Ethernet CPE | DX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 |
DX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
DX4510-B0 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX4510-B1 | V5.17(ABYL.7)C0 and earlier | V5.17(ABYL.8)C0 | |
DX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
DX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EE6510-10 | V5.19 (ACJQ.0)C0 and earlier | V5.19 (ACJQ.1)C0 | |
EX3300-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3300-T1 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3301-T0 | V5.50(ABVY.5.3)C0 and earlier | V5.50(ABVY.5.4)C0 | |
EX3500-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3501-T0 | V5.44(ACHR.2)C0 and earlier | V5.44(ACHR.3)C0 | |
EX3510-B0 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX3510-B1 | V5.17(ABUP.12)C0 and earlier | V5.17(ABUP.13)C0 | |
EX5401-B0 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5401-B1 | V5.17(ABYO.6.3)C0 and earlier | V5.17(ABYO.6.4)C0 | |
EX5501-B0 | V5.17(ABRY.5.2)C0 and earlier | V5.17(ABRY.5.3)C0 | |
EX5510-B0 | V5.17(ABQX.10)C0 and earlier | V5.17(ABQX.11)C0 | |
EX5600-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T0 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX5601-T1 | V5.70(ACDZ.3.3)C0 and earlier | V5.70(ACDZ.3.4)C0 | |
EX7501-B0 | V5.18(ACHN.1.2)C0 and earlier | V5.18(ACHN.1.3)C0 | |
EMG3525-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5523-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
EMG5723-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
VMG3625-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG3927-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
VMG8623-T50B | V5.50(ABPM.9.2)C0 and earlier | V5.50(ABPM.9.3)C0 | |
VMG8825-T50K | V5.50(ABOM.8.4)C0 and earlier | V5.50(ABOM.8.5)C0 | |
Fiber ONT | AX7501-B0 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 |
AX7501-B1 | V5.17(ABPC.5.2)C0 and earlier | V5.17(ABPC.5.3)C0 | |
EX3600-T0 | V5.70(ACIF.0.3)C0 and earlier | V5.70(ACIF.0.4)C0 | |
PX3321-T1 | V5.44(ACJB.1)C0 and earlier | V5.44(ACJB.1.1)C0 | |
V5.44(ACHK.0.2)C0 and earlier | V5.44(ACHK.0.3)C0 | ||
PX5301-T0 | V5.44(ACKB.0)C0 and earlier | V5.44(ACKB.0.1)C0 | |
Wi-Fi extender | WX5600-T0 | V5.70(ACEB.3.2)C0 and earlier | V5.70(ACEB.3.3)C0 |
• Models affected by CVE-2024-9200
Product | Affected model | Affected version | Patch availability* |
DSL/Ethernet CPE | EMG6726-B10A | V5.13(ABNP.8)C0 and earlier | V5.13(ABNP.8)C1 |
VMG3927-B50B | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 | |
VMG4005-B50A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B60A | V5.15(ABQA.2.2)C0 and earlier | V5.15(ABQA.2.3)C0 | |
VMG4005-B50B | V5.13(ABRL.5.1)C0 and earlier | V5.13(ABRL.5.2)C0 | |
VMG4927-B50A | V5.13 (ABLY.9)C0 and earlier | V5.13(ABLY.9)C1 |
* Please contact your Zyxel sales representative or support team to obtain the file.
Got a question?
For our ISP customers, please contact your Zyxel sales or service representatives for more information. For customers who have acquired Zyxel devices through an ISP, please directly contact your ISP's support team, as the devices may have custom configurations.
Acknowledgment
Thanks to the following security researchers:
- Dawid Kulikowski for CVE-2024-8748
- k0mor3b1 from Secdriver for CVE-2024-9197
- Erik de Jong for CVE-2024-9200
Revision history
2024-12-3: Initial release