CVE-2024-12398

HIGH

Zyxel NWA/WA/WAX Firmware Authenticated Privilege Escalation via Config Upload

Title source: llm

Description

An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited privileges to escalate their privileges to that of an administrator, enabling them to upload configuration files to a vulnerable device.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-improper-privilege-management-vulnerability-in-aps-and-security-router-devices-01-14-2025

Scores

CVSS v3 8.8

EPSS 0.0034

EPSS Percentile 56.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269

Status published

Products (23)

zyxel/nwa110ax_firmware < 7.10\(abtg.1\)

zyxel/nwa1123acv3_firmware < 6.70\(abvt.6\)

zyxel/nwa130be_firmware < 7.10\(acil.1\)

zyxel/nwa210ax_firmware < 7.10\(abtd.1\)

zyxel/nwa220ax-6e_firmware < 7.10\(acco.1\)

zyxel/nwa50ax_firmware < 7.10\(abyw.1\)

zyxel/nwa50ax_pro_firmware < 7.10\(acge.1\)

zyxel/nwa55axe_firmware < 7.10\(abzl.1\)

zyxel/nwa90ax_firmware < 7.10\(accv.1\)

zyxel/nwa90ax_pro_firmware < 7.10\(acgf.1\)

... and 13 more

Published Jan 14, 2025

Tracked Since Feb 18, 2026