Vulnerability Description
Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing "FirstIndex" field in JSON that is POST-ed during account creation. Similar may also be possible with account deletion.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zyxel | Vmg5313-B30B Firmware | <= 5.13\(abcj.6\)b3_1127 |
| Zyxel | Vmg5313-B30B | - |
Related Weaknesses (CWE)
References
- https://blog.somegeneric.ninja/Zyxel_VMG5153_B30BExploitThird Party Advisory
- https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B_part2ExploitThird Party Advisory
- https://www.zyxel.com/support/security_advisories.shtmlVendor Advisory
- https://blog.somegeneric.ninja/Zyxel_VMG5153_B30BExploitThird Party Advisory
- https://blog.somegeneric.ninja/Zyxel_VMG5153_B30B_part2ExploitThird Party Advisory
- https://www.zyxel.com/support/security_advisories.shtmlVendor Advisory
FAQ
What is CVE-2020-24355?
CVE-2020-24355 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with el...
How severe is CVE-2020-24355?
CVE-2020-24355 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-24355?
Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Vmg5313-B30B Firmware, Zyxel Vmg5313-B30B.