Zyxel fixed critical OS command injection flaw in multiple routers

Pierluigi Paganini September 04, 2024

Taiwanese manufacturer Zyxel addressed a critical OS command injection flaw affecting multiple models of its business routers.

Zyxel has released security updates to address a critical vulnerability, tracked as CVE-2024-7261 (CVSS v3 score of 9.8), impacting multiple models of its business routers.

The flaw is an operating system (OS) command injection issue that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.

An unauthenticated attacker can execute OS commands by sending a specially crafted cookie to a vulnerable device.

“Zyxel has released patches addressing an operating system (OS) command injection vulnerability in some access point (AP) and security router versions.” reads the advisory. “The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”

Below is the list of affected models and related patches:

ProductAffected modelAffected versionPatch availability
APNWA50AX7.00(ABYW.1) and earlier7.00(ABYW.2)
NWA50AX PRO7.00(ACGE.1) and earlier7.00(ACGE.2)
NWA55AXE7.00(ABZL.1) and earlier7.00(ABZL.2)
NWA90AX7.00(ACCV.1) and earlier7.00(ACCV.2)
NWA90AX PRO7.00(ACGF.1) and earlier7.00(ACGF.2)
NWA110AX7.00(ABTG.1) and earlier7.00(ABTG.2)
NWA130BE7.00(ACIL.1) and earlier7.00(ACIL.2)
NWA210AX7.00(ABTD.1) and earlier7.00(ABTD.2)
NWA220AX-6E7.00(ACCO.1) and earlier7.00(ACCO.2)
NWA1123-AC PRO6.28(ABHD.0) and earlier6.28(ABHD.3)
NWA1123ACv36.70(ABVT.4) and earlier6.70(ABVT.5)
WAC5006.70(ABVS.4) and earlier6.70(ABVS.5)
WAC500H6.70(ABWA.4) and earlier6.70(ABWA.5)
WAC6103D-I6.28(AAXH.0) and earlier6.28(AAXH.3)
WAC6502D-S6.28(AASE.0) and earlier6.28(AASE.3)
WAC6503D-S6.28(AASF.0) and earlier6.28(AASF.3)
WAC6552D-S6.28(ABIO.0) and earlier6.28(ABIO.3)
WAC6553D-E6.28(AASG.2) and earlier6.28(AASG.3)
WAX300H7.00(ACHF.1) and earlier7.00(ACHF.2)
WAX510D7.00(ABTF.1) and earlier7.00(ABTF.2)
WAX610D7.00(ABTE.1) and earlier7.00(ABTE.2)
WAX620D-6E7.00(ACCN.1) and earlier7.00(ACCN.2)
WAX630S7.00(ABZD.1) and earlier7.00(ABZD.2)
WAX640S-6E7.00(ACCM.1) and earlier7.00(ACCM.2)
WAX650S7.00(ABRM.1) and earlier7.00(ABRM.2)
WAX655E7.00(ACDO.1) and earlier7.00(ACDO.2)
WBE5307.00(ACLE.1) and earlier7.00(ACLE.2)
WBE660S7.00(ACGG.1) and earlier7.00(ACGG.2)
Security routerUSG LITE 60AXV2.00(ACIP.2)V2.00(ACIP.3)*

Chengchao Ai from the ROIS team at Fuzhou University discovered the vulnerability.

Zyxel routers were already targeted by threat actors in the past, in August 2023, a variant of the Gafgyt botnet actively attempted to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8), impacting the end-of-life Zyxel P660HN-T1A router.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, routers)



you might also like

leave a comment