Skip to content

Zyxel patches critical command OS injection flaws in routers

  • by
  • 2 min read

A critical vulnerability, tracked as CVE-2024-7261, has been affecting several Zyxel router models. It allows cyber threat actors to threaten the host’s operating system. The company has issued a series of patches to fix the issue.

The flaw stems from inadequate validation of user input. This enables hackers to run arbitrary commands on the affected system’s operating platform, potentially putting the entire network at risk.

The vulnerability is specifically linked to how certain Zyxel network devices, including access points and security routers, process the ‘host’ parameter within their CGI program.

“The improper neutralisation of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” explained Zyxler.

Here is a list of the affected models and patches:

Affected ModelAffected VersionPatch Availability
NWA50AX7.00(ABYW.1) and earlier7.00(ABYW.2)
NWA50AX PRO7.00(ACGE.1) and earlier7.00(ACGE.2)
NWA55AXE7.00(ABZL.1) and earlier7.00(ABZL.2)
NWA90AX7.00(ACCV.1) and earlier7.00(ACCV.2)
NWA90AX PRO7.00(ACGF.1) and earlier7.00(ACGF.2)
NWA110AX7.00(ABTG.1) and earlier7.00(ABTG.2)
NWA130BE7.00(ACIL.1) and earlier7.00(ACIL.2)
NWA210AX7.00(ABTD.1) and earlier7.00(ABTD.2)
NWA220AX-6E7.00(ACCO.1) and earlier7.00(ACCO.2)
NWA1123-AC PRO6.28(ABHD.0) and earlier6.28(ABHD.3)
NWA1123ACv36.70(ABVT.4) and earlier6.70(ABVT.5)
WAC5006.70(ABVS.4) and earlier6.70(ABVS.5)
WAC500H6.70(ABWA.4) and earlier6.70(ABWA.5)
WAC6103D-I6.28(AAXH.0) and earlier6.28(AAXH.3)
WAC6502D-S6.28(AASE.0) and earlier6.28(AASE.3)
WAC6503D-S6.28(AASF.0) and earlier6.28(AASF.3)
WAC6552D-S6.28(ABIO.0) and earlier6.28(ABIO.3)
WAC6553D-E6.28(AASG.2) and earlier6.28(AASG.3)
WAX300H7.00(ACHF.1) and earlier7.00(ACHF.2)
WAX510D7.00(ABTF.1) and earlier7.00(ABTF.2)
WAX610D7.00(ABTE.1) and earlier7.00(ABTE.2)
WAX620D-6E7.00(ACCN.1) and earlier7.00(ACCN.2)
WAX630S7.00(ABZD.1) and earlier7.00(ABZD.2)
WAX640S-6E7.00(ACCM.1) and earlier7.00(ACCM.2)
WAX650S7.00(ABRM.1) and earlier7.00(ABRM.2)
WAX655E7.00(ACDO.1) and earlier7.00(ACDO.2)
WBE5307.00(ACLE.1) and earlier7.00(ACLE.2)
WBE660S7.00(ACGG.1) and earlier7.00(ACGG.2)
USG LITE 60AX (Security Router)V2.00(ACIP.2)V2.00(ACIP.3)*

The USG LITE 60AX model is automatically updated by the cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.

In addition to addressing CVE-2024-7261, Zyxel has also released patches for several high-severity vulnerabilities in its APT and USG FLEX firewall series. These flaws range from buffer overflows to command injection vulnerabilities and could allow authenticated and unauthenticated attackers to perform various malicious activities.

Notably, CVE-2024-42057, a command injection flaw in the IPSec VPN feature, stands out due to its potential for remote exploitation without authentication. As pointed out by BleepingComputer, its severity is mitigated by the specific configuration requirements, but it remains a significant threat.

Other vulnerabilities patched include:

  • CVE-2024-6343: Buffer overflow leading to potential Denial of Service (DoS).
  • CVE-2024-7203: Post-authentication command injection via CLI.
  • CVE-2024-42058: Null pointer dereference causing DoS.
  • CVE-2024-42059 to CVE-2024-42061: Various command injection and XSS vulnerabilities.

In the News: Transport for London investigating cyber attacks, services unaffected

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>