CVE-2024-9677

Published: Oct 22, 2024Modified: Dec 5, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

Affected (1)

Products: Zyxel: Uos

Zyxel

1 product

Uos

Configuration A

1 vulnerable · 5 platform

Vulnerable Software	Affected Versions
Zyxel Uos	Before 1.30

Running on/with	Platform Versions
Zyxel Usg Flex 100h	All versions
Zyxel Usg Flex 200h	All versions
Zyxel Usg Flex 200hp	All versions
Zyxel Usg Flex 500h	All versions
Zyxel Usg Flex 700h	All versions

Related CWEs

CWE-522

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (1)

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024

Source: security@zyxel.com.tw

Vendor Advisory

Timeline

No history available yet.