Zyxel Fixes Critical RCE Vulnerability in UPnP Implementation

Zyxel has released security updates to address multiple vulnerabilities across its networking product line, most notably a command injection flaw within the Universal Plug and Play (UPnP) implementation. According to SecurityWeek, these vulnerabilities impact a wide range of device models and could be exploited to achieve remote code execution (RCE) or denial-of-service (DoS) conditions.

Technical Analysis of CVE-2024-42057

The primary concern in this advisory is CVE-2024-42057, which carries a CVSS v3.1 base score of 8.1. This vulnerability resides in the UPnP daemon of several Zyxel DSL and fiber CPE (Customer Premises Equipment) models. The flaw stems from insufficient validation of user-supplied input when processing UPnP requests.

An attacker positioned on the local network—or potentially over the internet if the UPnP interface is misconfigured for WAN access—can inject operating system commands. Because the UPnP service often runs with elevated privileges to manage network configurations and port mappings, successful exploitation grants the attacker full control over the underlying Linux-based firmware.

Accompanying Vulnerabilities

Beyond the primary command injection flaw, Zyxel addressed two other significant issues identified during their security review:

• CVE-2024-42058 (CVSS 7.5): A null pointer dereference vulnerability in the same UPnP function. While not providing code execution, this flaw allows an attacker to cause a denial-of-service condition by crashing the UPnP daemon, effectively disabling network discovery and auto-configuration features.
• CVE-2024-42059 (CVSS 8.1): Another OS command injection vulnerability, this time located in the web management interface’s firewall configuration module. This flaw requires the attacker to have administrative privileges to execute commands via crafted header files, though it could be leveraged in a multi-stage attack to achieve persistence.

Affected Models and Firmware Versions

The vulnerabilities impact a broad range of Zyxel devices typically deployed in small-to-medium business (SMB) and residential environments. The VMG series of digital subscriber line (DSL) gateways is heavily represented. Specific models requiring immediate updates include:

• VMG1312-B10D
• VMG3625-T50B
• VMG3927-T50K
• VMG8825-T50K
• Multiple fiber-to-the-home (FTTH) gateway models

Users must consult Zyxel’s official security advisory to confirm the specific firmware versions that introduce the fixes, as versioning varies significantly by hardware revision and regional variants.

Strategic Risk Assessment

Network edge devices like routers and gateways remain high-value targets for threat actors. Compromising these devices provides a foothold for lateral movement into the internal network. Historically, Zyxel devices have been targeted by Mirai-variant botnets and advanced persistent threat (APT) groups for use as proxy nodes or for traffic interception.

The ability to execute commands unauthenticated, as seen with CVE-2024-42057, is particularly dangerous. If the UPnP service is reachable from the WAN side, the device becomes susceptible to automated exploitation scripts scanning the public internet for vulnerable gateways.

Recommendations for Defenders

Runtime Rebel recommends the following actions to mitigate the risk posed by these vulnerabilities:

1. Immediate Firmware Updates: Prioritize updating affected VMG and fiber gateway models to the latest firmware versions provided by Zyxel. Automated update features should be verified as functional.
2. Disable UPnP: Unless strictly required for specific legacy applications, UPnP should be disabled on all network edge devices. This protocol has a long history of security vulnerabilities and often expands the attack surface without providing commensurate utility.
3. Restrict Management Access: Ensure that web management and command-line interfaces (SSH/Telnet) are not accessible from the Wide Area Network (WAN). Management should only be permitted from trusted internal VLANs.
4. Audit Firewall Rules: Review firewall configurations to ensure that the port forwarding rules often associated with UPnP are not leaving internal services exposed to the internet.