CVE-2024-7203: 
NixOS vulnerability analysis and mitigation

A post-authentication command injection vulnerability was discovered in Zyxel ATP series firmware versions V4.60 through V5.38 and USG FLEX series firmware versions V4.60 through V5.38. This vulnerability is tracked as CVE-2024-7203 and was disclosed on September 2, 2024. The affected systems include Zyxel ATP series and USG FLEX series firewalls running the specified firmware versions (Vendor Advisory).

The vulnerability is classified as a command injection flaw (CWE-78) that allows authenticated attackers with administrator privileges to execute operating system commands on affected devices by executing crafted CLI commands. The vulnerability has received a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability allows an authenticated attacker with administrator privileges to execute operating system commands on the affected device. This could potentially lead to complete system compromise, including unauthorized access to sensitive information, system modification, and service disruption (Vendor Advisory).

Zyxel has released firmware version V5.39 to address this vulnerability. Users of affected devices are strongly advised to upgrade to the patched version. The fix is available for both ATP series and USG FLEX series devices (Vendor Advisory).

The vulnerability was discovered and reported by Alessandro Sgreccia and Manuel Roccon from HackerHood, demonstrating ongoing security research efforts in network device security (Vendor Advisory).