CVE-2024-7203 – This vulnerability allows authenticated adminis... (How to Fix)

Q: What is the severity of CVE-2024-7203?

CVE-2024-7203 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated administrators on affected Zyxel firewalls to execute arbitrary operating system commands through command injection in the CLI. It affects Zyxel ATP and USG FLEX series firewalls running firmware versions V4.60 through V5.38.

📋 TL;DR

This vulnerability allows authenticated administrators on affected Zyxel firewalls to execute arbitrary operating system commands through command injection in the CLI. It affects Zyxel ATP and USG FLEX series firewalls running firmware versions V4.60 through V5.38.

💻 Affected Systems

Products:

Zyxel ATP series
Zyxel USG FLEX series

Versions: V4.60 through V5.38

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator authentication; default admin accounts are vulnerable if not changed.

📦 What is this software?

Zld by Zyxel

View all CVEs affecting Zld →

Zld by Zyxel

View all CVEs affecting Zld →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise leading to network pivoting, data exfiltration, or deployment of persistent backdoors.

🟠

Likely Case

Privilege escalation to root access, configuration manipulation, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls restrict administrative accounts and network segmentation is implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access; command injection via crafted CLI commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V5.39 or later

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024

Restart Required: Yes

Instructions:

1. Download firmware V5.39 or later from Zyxel support portal. 2. Backup current configuration. 3. Upload and install new firmware via web interface or CLI. 4. Reboot device after installation.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit administrative access to trusted IP addresses and use strong, unique passwords.

Network Segmentation

all

Segment firewall management interfaces from general user networks.

🧯 If You Can't Patch

Implement strict access controls for administrative accounts and monitor for suspicious CLI activity.
Isolate affected devices in a dedicated management VLAN with limited network access.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Maintenance > Firmware) or CLI command 'show version'.

Check Version:

show version

Verify Fix Applied:

Confirm firmware version is V5.39 or later using the same methods.

📡 Detection & Monitoring

Log Indicators:

Unusual CLI command execution patterns
Multiple failed login attempts followed by successful admin login

Network Indicators:

Unexpected outbound connections from firewall management interface
Anomalous traffic patterns post-admin login

SIEM Query:

source="firewall_logs" AND (event_type="cli_command" AND command="*;*" OR command="*|*")

📊 Metadata

CVE ID: CVE-2024-7203

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 3, 2024

Last Updated: December 13, 2024

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7203, you might also want to check these: