1. Home
  2. CVE Database
  3. CVE-2024-9677
MEDIUM · 5.5

CVE-2024-9677

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain p...

Vulnerability Description

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
ZyxelUos< 1.30
ZyxelUsg Flex 100H-
ZyxelUsg Flex 200H-
ZyxelUsg Flex 200Hp-
ZyxelUsg Flex 500H-
ZyxelUsg Flex 700H-

Related Weaknesses (CWE)

CWE-522

References

FAQ

What is CVE-2024-9677?

CVE-2024-9677 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain p...

How severe is CVE-2024-9677?

CVE-2024-9677 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-9677?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Uos, Zyxel Usg Flex 100H, Zyxel Usg Flex 200H, Zyxel Usg Flex 200Hp, Zyxel Usg Flex 500H.