A critical vulnerability, tracked as CVE-2024-7261, has been affecting several Zyxel router models. It allows cyber threat actors to threaten the host’s operating system. The company has issued a series of patches to fix the issue.
The flaw stems from inadequate validation of user input. This enables hackers to run arbitrary commands on the affected system’s operating platform, potentially putting the entire network at risk.
The vulnerability is specifically linked to how certain Zyxel network devices, including access points and security routers, process the ‘host’ parameter within their CGI program.
“The improper neutralisation of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” explained Zyxler.
Here is a list of the affected models and patches:
Affected Model | Affected Version | Patch Availability |
---|---|---|
NWA50AX | 7.00(ABYW.1) and earlier | 7.00(ABYW.2) |
NWA50AX PRO | 7.00(ACGE.1) and earlier | 7.00(ACGE.2) |
NWA55AXE | 7.00(ABZL.1) and earlier | 7.00(ABZL.2) |
NWA90AX | 7.00(ACCV.1) and earlier | 7.00(ACCV.2) |
NWA90AX PRO | 7.00(ACGF.1) and earlier | 7.00(ACGF.2) |
NWA110AX | 7.00(ABTG.1) and earlier | 7.00(ABTG.2) |
NWA130BE | 7.00(ACIL.1) and earlier | 7.00(ACIL.2) |
NWA210AX | 7.00(ABTD.1) and earlier | 7.00(ABTD.2) |
NWA220AX-6E | 7.00(ACCO.1) and earlier | 7.00(ACCO.2) |
NWA1123-AC PRO | 6.28(ABHD.0) and earlier | 6.28(ABHD.3) |
NWA1123ACv3 | 6.70(ABVT.4) and earlier | 6.70(ABVT.5) |
WAC500 | 6.70(ABVS.4) and earlier | 6.70(ABVS.5) |
WAC500H | 6.70(ABWA.4) and earlier | 6.70(ABWA.5) |
WAC6103D-I | 6.28(AAXH.0) and earlier | 6.28(AAXH.3) |
WAC6502D-S | 6.28(AASE.0) and earlier | 6.28(AASE.3) |
WAC6503D-S | 6.28(AASF.0) and earlier | 6.28(AASF.3) |
WAC6552D-S | 6.28(ABIO.0) and earlier | 6.28(ABIO.3) |
WAC6553D-E | 6.28(AASG.2) and earlier | 6.28(AASG.3) |
WAX300H | 7.00(ACHF.1) and earlier | 7.00(ACHF.2) |
WAX510D | 7.00(ABTF.1) and earlier | 7.00(ABTF.2) |
WAX610D | 7.00(ABTE.1) and earlier | 7.00(ABTE.2) |
WAX620D-6E | 7.00(ACCN.1) and earlier | 7.00(ACCN.2) |
WAX630S | 7.00(ABZD.1) and earlier | 7.00(ABZD.2) |
WAX640S-6E | 7.00(ACCM.1) and earlier | 7.00(ACCM.2) |
WAX650S | 7.00(ABRM.1) and earlier | 7.00(ABRM.2) |
WAX655E | 7.00(ACDO.1) and earlier | 7.00(ACDO.2) |
WBE530 | 7.00(ACLE.1) and earlier | 7.00(ACLE.2) |
WBE660S | 7.00(ACGG.1) and earlier | 7.00(ACGG.2) |
USG LITE 60AX (Security Router) | V2.00(ACIP.2) | V2.00(ACIP.3)* |
The USG LITE 60AX model is automatically updated by the cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
In addition to addressing CVE-2024-7261, Zyxel has also released patches for several high-severity vulnerabilities in its APT and USG FLEX firewall series. These flaws range from buffer overflows to command injection vulnerabilities and could allow authenticated and unauthenticated attackers to perform various malicious activities.
Notably, CVE-2024-42057, a command injection flaw in the IPSec VPN feature, stands out due to its potential for remote exploitation without authentication. As pointed out by BleepingComputer, its severity is mitigated by the specific configuration requirements, but it remains a significant threat.
Other vulnerabilities patched include:
- CVE-2024-6343: Buffer overflow leading to potential Denial of Service (DoS).
- CVE-2024-7203: Post-authentication command injection via CLI.
- CVE-2024-42058: Null pointer dereference causing DoS.
- CVE-2024-42059 to CVE-2024-42061: Various command injection and XSS vulnerabilities.
In the News: Transport for London investigating cyber attacks, services unaffected