CVE-2021-35031
HIGH WAF: High
CVSS 8.0
Published: 2021-12-28
CWE-78 CWE-78
A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands via the GUI of the vulnerable device.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| zyxel | gs1900-8_firmware | up to 2.70\(aahh.0\)-20211208 |
| zyxel | gs1900-8hp_firmware | up to 2.70\(aahi.0\)-20211208 |
| zyxel | gs1900-10hp_firmware | up to 2.70\(aazi.0\)-20211208 |
| zyxel | gs1900-16_firmware | up to 2.70\(aahj.0\)-20211208 |
| zyxel | gs1900-24e_firmware | up to 2.70\(aahk.0\)-20211208 |
| zyxel | gs1900-24ep_firmware | up to 2.70\(abto.0\)-20211208 |
| zyxel | gs1900-24_firmware | up to 2.70\(aahl.0\)-20211208 |
| zyxel | gs1900-24hp_firmware | up to 2.70\(aahm.0\)-20211208 |
| zyxel | gs1900-24hpv2_firmware | up to 2.70\(aatp.0\)-20211208 |
| zyxel | gs1900-48_firmware | up to 2.70\(aahn.0\)-20211208 |
References
- www.zyxel.com (Patch, Vendor Advisory)