A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands via the GUI of the vulnerable device.
References
Link | Resource |
---|---|
https://www.zyxel.com/support/Zyxel_security_advisory_for_OS_command_injection_vulnerabilities_of_switches.shtml | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
History
07 Jan 2022, 16:59
Type | Values Removed | Values Added |
---|---|---|
First Time |
Zyxel gs1900-24hp
Zyxel gs1900-24 Zyxel gs1900-24e Firmware Zyxel gs1900-48 Firmware Zyxel gs1900-48hpv2 Zyxel gs1900-48hpv2 Firmware Zyxel gs1900-48 Zyxel gs1900-24ep Firmware Zyxel gs1900-10hp Zyxel gs1900-24hpv2 Firmware Zyxel xgs1210-12 Zyxel Zyxel gs1900-48hp Zyxel gs1900-8hp Zyxel gs1900-16 Firmware Zyxel gs1900-24hp Firmware Zyxel gs1900-16 Zyxel gs1900-8 Zyxel gs1900-8 Firmware Zyxel xgs1250-12 Firmware Zyxel gs1900-10hp Firmware Zyxel xgs1250-12 Zyxel gs1900-48hp Firmware Zyxel gs1900-24hpv2 Zyxel gs1900-8hp Firmware Zyxel gs1900-24 Firmware Zyxel xgs1210-12 Firmware Zyxel gs1900-24ep Zyxel gs1900-24e |
|
References | (CONFIRM) https://www.zyxel.com/support/Zyxel_security_advisory_for_OS_command_injection_vulnerabilities_of_switches.shtml - Patch, Vendor Advisory | |
CPE | cpe:2.3:h:zyxel:gs1900-8:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-8hp_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-48hp:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-10hp:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-24_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-24ep:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:xgs1250-12:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-24hp:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:xgs1210-12_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-10hp_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-24hpv2_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-8hp:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-48_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-24:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-24e_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-48hp_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-24ep_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-16:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-24hp_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-24hpv2:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:xgs1210-12:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-16_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:xgs1250-12_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-24e:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-48hpv2:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:gs1900-48:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:gs1900-8_firmware:*:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 7.7
v3 : 8.0 |
CWE | CWE-78 |
28 Dec 2021, 16:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands via the GUI of the vulnerable device. |
28 Dec 2021, 12:35
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-28 11:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-35031
Mitre link : CVE-2021-35031
CVE.ORG link : CVE-2021-35031
JSON object : View
Products Affected
zyxel
- gs1900-48hpv2
- gs1900-48hp_firmware
- gs1900-24
- gs1900-48hp
- gs1900-24hpv2
- gs1900-24hp_firmware
- gs1900-8
- gs1900-10hp_firmware
- gs1900-48_firmware
- gs1900-8hp_firmware
- gs1900-24_firmware
- gs1900-24e_firmware
- gs1900-24e
- gs1900-24ep
- gs1900-10hp
- gs1900-24hpv2_firmware
- gs1900-8hp
- gs1900-24hp
- xgs1250-12
- xgs1210-12_firmware
- gs1900-16_firmware
- xgs1210-12
- gs1900-24ep_firmware
- gs1900-8_firmware
- gs1900-16
- gs1900-48hpv2_firmware
- gs1900-48
- xgs1250-12_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')