Description
An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. By sending a signal to the CLI process, undocumented functionality is triggered. Specifically, a menu can be triggered by sending the SIGQUIT signal to the CLI application (e.g., through CTRL+\ via SSH). The access control check for this menu does work and prohibits accessing the menu, which contains "Password recovery for specific user" options. The menu is believed to be accessible using a serial console.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://jasper.la/exploring-zyxel-gs1900-firmware-with-ghidra.html
Vendor Advisory x_refsource_confirm
https://www.zyxel.com/support/gs1900-switch-vulnerabilities.shtml
Scores
CVSS v3
7.5
EPSS
0.0024
EPSS Percentile
47.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (9)
zyxel/gs1900-10hp_firmware
< 2.50\(aazi.0\)c0
zyxel/gs1900-16_firmware
< 2.50\(aahj.0\)c0
zyxel/gs1900-24_firmware
< 2.50\(aahl.0\)c0
zyxel/gs1900-24e_firmware
< 2.50\(aahk.0\)c0
zyxel/gs1900-24hp_firmware
< 2.50\(aahm.0\)c0
zyxel/gs1900-48_firmware
< 2.50\(aahn.0\)c0
zyxel/gs1900-48hp_firmware
< 2.50\(aaho.0\)c0
zyxel/gs1900-8_firmware
< 2.50\(aahh.0\)c0
zyxel/gs1900-8hp_firmware
< 2.50\(aahi.0\)c0
Published
Nov 14, 2019
Tracked Since
Feb 18, 2026