Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-9677

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

Published

2024-10-22T02:15:04.380

Last Modified

2024-12-05T22:11:15.217

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	zyxel	uos	< 1.30	Yes
Hardware	zyxel	usg_flex_100h	-	No
Hardware	zyxel	usg_flex_200h	-	No
Hardware	zyxel	usg_flex_200hp	-	No
Hardware	zyxel	usg_flex_500h	-	No
Hardware	zyxel	usg_flex_700h	-	No

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024 Vendor Advisory ([email protected])