CVE-2024-8881

Vulnerability

A post-authentication command injection vulnerability exists in the CGI program of Zyxel GS1900-48 switches running firmware version V2.80(AAHN.1)C0 and earlier. An authenticated attacker with administrator privileges can exploit this by sending a crafted HTTP request to the affected device's CGI interface. The vulnerability is present because user-supplied input is not properly sanitized before being used in OS command execution [1].

Exploitation

To exploit this vulnerability, an attacker must have LAN access and be authenticated as an administrator on the target switch. The attacker then sends a specially crafted HTTP request to the CGI program, which results in the injection of arbitrary OS commands. No user interaction beyond the initial authentication is required; the attack can be carried out programmatically [1].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary OS commands on the affected device. This could lead to full compromise of the switch, including the ability to modify configuration, exfiltrate network data, or use the device as a pivot point for further attacks within the network. The impact is limited by the requirement for prior administrative authentication [1].

Mitigation

Zyxel has released firmware patches for affected GS1900 series switches. Users should upgrade to the fixed firmware version as indicated in the vendor's security advisory. For the GS1900-48, the fixed version is V2.80(AAHN.2)C0 or later. No effective workaround is available; the only mitigation is installing the patch. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].