CVE-2020-28899
CRITICALZyXEL LTE4506-M606 Firmware < v1.00(ABDO.6)C0 - Unauthenticated Remote Command Execution via CGI Script
Title source: llmDescription
The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.zyxel.com/support/Zyxel-security-advisory-for-CGI-vulnerability-of-LTE.shtml
Scores
CVSS v3
9.1
EPSS
0.0034
EPSS Percentile
57.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-306
Status
published
Products (3)
zyxel/lte4506-m606_firmware
< v1.00\(abdo.6\)c0
zyxel/lte7460-m608_firmware
< v1.00\(abfr.5\)c0
zyxel/wah7706_firmware
< v1.00\(abbc.11\)c0
Published
Mar 16, 2021
Tracked Since
Feb 18, 2026