CVE-2024-12398

An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited privileges to escalate their privileges to that of an administrator, enabling them to upload configuration files to a vulnerable device.

Published: Jan 14, 2025
Updated: May 4, 2025
CVE: CVE-2024-12398
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
zyxel / nwa50ax_firmware	-	7.10\(abyw.1\)
zyxel / nwa50ax_pro_firmware	-	7.10\(acge.1\)
zyxel / nwa55axe_firmware	-	7.10\(abzl.1\)
zyxel / nwa90ax_firmware	-	7.10\(accv.1\)
zyxel / nwa90ax_pro_firmware	-	7.10\(acgf.1\)
zyxel / nwa110ax_firmware	-	7.10\(abtg.1\)
zyxel / nwa130be_firmware	-	7.10\(acil.1\)
zyxel / nwa210ax_firmware	-	7.10\(abtd.1\)
zyxel / nwa220ax-6e_firmware	-	7.10\(acco.1\)
zyxel / nwa1123acv3_firmware	-	6.70\(abvt.6\)
zyxel / wac500_firmware	-	6.70\(abvs.6\)
zyxel / wac500h_firmware	-	6.70\(abwa.6\)
zyxel / wax300h_firmware	-	7.10\(achf.1\)
zyxel / wax510d_firmware	-	7.10\(abtf.1\)
zyxel / wax610d_firmware	-	7.10\(abte.1\)
zyxel / wax620d-6e_firmware	-	7.10\(accn.1\)
zyxel / wax630s_firmware	-	7.10\(abzd.1\)
zyxel / wax640s-6e_firmware	-	7.10\(accm.1\)
zyxel / wax650s_firmware	-	7.10\(abrm.1\)
zyxel / wax655e_firmware	-	7.10\(acdo.1\)
zyxel / wbe530_firmware	-	7.10\(acle.1\)
zyxel / wbe660s_firmware	-	7.00\(acgg.1\)
zyxel / usg_lite_60ax_firmware	-	2.10\(acip.0\)

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-improper-privilege-management-vulnerability-in-aps-and-security-router-devices-01-14-2025

Vulnerability Database

289,784

CVE-2024-12398