Zyxel has issued a critical security alert regarding a severe vulnerability in several of its business router models. This flaw, identified as CVE-2024-7261, poses a significant threat by potentially allowing unauthorised users to execute operating system (OS) commands on affected devices.
Vulnerability Overview
CVE-2024-7261 is a critical input validation issue with a CVSS v3 score of 9.8, highlighting the severity of the flaw. The vulnerability arises from improper handling of user-provided data, which could enable remote attackers to run arbitrary OS commands. Specifically, the issue affects the parameter "host" in the CGI program of certain Zyxel access points (APs) and security routers. An attacker could exploit this flaw by sending a specially crafted cookie to a vulnerable device, leading to unauthorised command execution.
Impacted Devices
The following Zyxel access points and routers are affected by CVE-2024-7261:
NWA Series: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E (all versions up to 7.00); upgrade to 7.00(ABYW.2) or later
NWA1123-AC PRO: All versions up to 6.28; upgrade to 6.28(ABHD.3) or later
NWA1123ACv3, WAC500, WAC500H: All versions up to 6.70; upgrade to 6.70(ABVT.5) or later
WAC Series: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E (all versions up to 6.28); upgrade to 6.28(AAXH.3) or later
WAX Series: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E (all versions up to 7.00); upgrade to 7.00(ACHF.2) or later
WBE Series: WBE530, WBE660S (all versions up to 7.00); upgrade to 7.00(ACLE.2) or later
Additionally, the Zyxel security router USG LITE 60AX running V2.00(ACIP.2) is affected, but it is automatically updated via the cloud to V2.00(ACIP.3), which includes a fix for CVE-2024-7261.
Additional Security Updates
Zyxel has also addressed multiple high-severity vulnerabilities in its APT and USG FLEX firewalls. Notable issues include:
CVE-2024-6343: A buffer overflow in the CGI program that could lead to a denial of service (DoS) if an authenticated admin sends a crafted HTTP request.
CVE-2024-7203: Post-authentication command injection allowing an authenticated admin to execute OS commands via a crafted CLI command.
CVE-2024-42057: Command injection in IPSec VPN, which can be exploited remotely without authentication under specific configuration conditions (CVSS v3: 8.1, "high").
CVE-2024-42058: Null pointer dereference that may cause DoS via crafted packets sent by an unauthenticated attacker.
CVE-2024-42059: Post-authentication command injection enabling OS command execution through a crafted compressed language file uploaded via FTP.
CVE-2024-42060: Similar to CVE-2024-42059 but through a crafted internal user agreement file.
CVE-2024-42061: Reflected XSS in "dynamic_script.cgi" that could lead to browser-based information leakage if an attacker tricks a user into visiting a malicious URL.
The vulnerability CVE-2024-42057 is particularly noteworthy due to its high severity and potential for remote exploitation, albeit with specific configuration requirements that somewhat mitigate its risk.
Recommendations
For all affected devices, Zyxel recommends upgrading to the latest firmware versions provided in their advisories. For a comprehensive list of impacted devices and firmware updates, please refer to Zyxel’s official security advisory.
