In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
The "Persistent Remote Code Execution Vulnerability" lets attackers execute code persistently on Zyxel devices by injecting malicious code into configuration backups. This code is restored upon reboot, granting lasting access.
The "Local Privilege Escalation Vulnerability" lets attackers escalate their privileges to root on Zyxel devices by exploiting a flaw in the file_upload-cgi endpoint.
The "Python Code Injection Vulnerability" allows attackers to execute arbitrary Python code on Zyxel devices by sending a crafted request to the simZysh endpoint, bypassing authentication and filters.
The "Privilege Escalation and Information Disclosure Vulnerability" allows attackers to escalate privileges and gain admin access on Zyxel devices by sending a crafted request to access session tokens.