CVE-2024-9677

MEDIUM

Zyxel Uos < 1.30 - Insufficiently Protected Credentials

Title source: rule

Description

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

References (1)

[Vendor Advisory] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024

Scores

CVSS v3 5.5

EPSS 0.0012

EPSS Percentile 30.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (1)

zyxel/uos < 1.30

Timeline

Published Oct 22, 2024

Tracked Since Feb 18, 2026