September 3, 2024 By Bill Toulas
Zyxel has released security updates to address a critical vulnerability impacting multiple models of its business routers, potentially allowing unauthenticated attackers to perform OS command injection.
The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 score of 9.8 ("critical"), is an input validation fault caused by improper handling of user-supplied data, allowing remote attackers to execute arbitrary commands on the host operating system.
"The improper neutralization of special elements in the parameter "host" in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device," - warns Zyxel.
The Zyxel access points (APs) impacted by CVE-2024-7261 are the following:
- NWA Series: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all versions up to 7.00 are vulnerable, upgrade to 7.00(ABYW.2) and later
- NWA1123-AC PRO | all versions up to 6.28 are vulnerable, upgrade to 6.28(ABHD.3) and later
- NWA1123ACv3, WAC500, WAC500H | all versions up to 6.70 are vulnerable, upgrade to 6.70(ABVT.5) and later
- WAC Series: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all versions up to 6.28 are vulnerable, upgrade to 6.28(AAXH.3) and later
- WAX Series: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all versions up to 7.00 are vulnerable, upgrade to 7.00(ACHF.2) and later
- WBE Series: WBE530, WBE660S | all versions up to 7.00 are vulnerable, upgrade to 7.00(ACLE.2) and later
Zyxel says that security router USG LITE 60AX running V2.00(ACIP.2) is also impacted, but this model is automatically updated by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.
