Pierluigi Paganini
September 04, 2024
Zyxel has released security updates to address a critical vulnerability, tracked as CVE-2024-7261 (CVSS v3 score of 9.8), impacting multiple models of its business routers.
The flaw is an operating system (OS) command injection issue that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.
An unauthenticated attacker can execute OS commands by sending a specially crafted cookie to a vulnerable device.
“Zyxel has released patches addressing an operating system (OS) command injection vulnerability in some access point (AP) and security router versions.” reads the advisory. “The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”
Below is the list of affected models and related patches:
| Product | Affected model | Affected version | Patch availability |
|---|---|---|---|
| AP | NWA50AX | 7.00(ABYW.1) and earlier | 7.00(ABYW.2) |
| NWA50AX PRO | 7.00(ACGE.1) and earlier | 7.00(ACGE.2) | |
| NWA55AXE | 7.00(ABZL.1) and earlier | 7.00(ABZL.2) | |
| NWA90AX | 7.00(ACCV.1) and earlier | 7.00(ACCV.2) | |
| NWA90AX PRO | 7.00(ACGF.1) and earlier | 7.00(ACGF.2) | |
| NWA110AX | 7.00(ABTG.1) and earlier | 7.00(ABTG.2) | |
| NWA130BE | 7.00(ACIL.1) and earlier | 7.00(ACIL.2) | |
| NWA210AX | 7.00(ABTD.1) and earlier | 7.00(ABTD.2) | |
| NWA220AX-6E | 7.00(ACCO.1) and earlier | 7.00(ACCO.2) | |
| NWA1123-AC PRO | 6.28(ABHD.0) and earlier | 6.28(ABHD.3) | |
| NWA1123ACv3 | 6.70(ABVT.4) and earlier | 6.70(ABVT.5) | |
| WAC500 | 6.70(ABVS.4) and earlier | 6.70(ABVS.5) | |
| WAC500H | 6.70(ABWA.4) and earlier | 6.70(ABWA.5) | |
| WAC6103D-I | 6.28(AAXH.0) and earlier | 6.28(AAXH.3) | |
| WAC6502D-S | 6.28(AASE.0) and earlier | 6.28(AASE.3) | |
| WAC6503D-S | 6.28(AASF.0) and earlier | 6.28(AASF.3) | |
| WAC6552D-S | 6.28(ABIO.0) and earlier | 6.28(ABIO.3) | |
| WAC6553D-E | 6.28(AASG.2) and earlier | 6.28(AASG.3) | |
| WAX300H | 7.00(ACHF.1) and earlier | 7.00(ACHF.2) | |
| WAX510D | 7.00(ABTF.1) and earlier | 7.00(ABTF.2) | |
| WAX610D | 7.00(ABTE.1) and earlier | 7.00(ABTE.2) | |
| WAX620D-6E | 7.00(ACCN.1) and earlier | 7.00(ACCN.2) | |
| WAX630S | 7.00(ABZD.1) and earlier | 7.00(ABZD.2) | |
| WAX640S-6E | 7.00(ACCM.1) and earlier | 7.00(ACCM.2) | |
| WAX650S | 7.00(ABRM.1) and earlier | 7.00(ABRM.2) | |
| WAX655E | 7.00(ACDO.1) and earlier | 7.00(ACDO.2) | |
| WBE530 | 7.00(ACLE.1) and earlier | 7.00(ACLE.2) | |
| WBE660S | 7.00(ACGG.1) and earlier | 7.00(ACGG.2) | |
| Security router | USG LITE 60AX | V2.00(ACIP.2) | V2.00(ACIP.3)* |
Chengchao Ai from the ROIS team at Fuzhou University discovered the vulnerability.
Zyxel routers were already targeted by threat actors in the past, in August 2023, a variant of the Gafgyt botnet actively attempted to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8), impacting the end-of-life Zyxel P660HN-T1A router.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, routers)
