The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. Besides the unauthenticated buffer overflow in the `zhttpd` webserver, two other vulnerabilities, the unauthenticated local file disclosure (LFI) in combination with a weak password derivation algorithm for user supervisor can be used to establish an unauthenticated RCE. The remote code execution (RCE) vulnerability can be exploited by chaining the local file disclosure (LFI) vulnerability in the `zhttpd` binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint `/Export_Log?/data/zcfg_config.json`. With this information disclosure, the attacker can determine if the router is reachable via SSH and use the second vulnerability in the `zcmd` binary to derive the supervisor password by exploiting a weak password derivation algorithm using the device serial number. The followin…