**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
https://www.securityweek.com/zyxel-issues-no-patch-warning-for-exploited-zero-days/
https://securityaffairs.com/173589/hacking/zyxel-cpe-series-devices-cve-2024-40891-exploited.html