Zyxel warns of critical OS command injection flaw in routers

Zyxel has released security updates to address a critical vulnerability impacting multiple models of its business routers, potentially allowing unauthenticated attackers to perform OS command injection.

The flaw, tracked as CVE-2024-7261 and assigned a CVSS v3 score of 9.8 (“critical”), is an input validation fault caused by improper handling of user-supplied data, allowing remote attackers to execute arbitrary commands on the host operating system.

“The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” – warns Zyxel.

The Zyxel access points (APs) impacted by CVE-2024-7261 are the following:

• NWA Series: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all versions up to 7.00 are vulnerable, upgrade to 7.00(ABYW.2) and later
• NWA1123-AC PRO | all versions up to 6.28 are vulnerable, upgrade to 6.28(ABHD.3) and later
• NWA1123ACv3, WAC500, WAC500H | all versions up to 6.70 are vulnerable, upgrade to 6.70(ABVT.5)  and later
• WAC Series: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E | all versions up to 6.28 are vulnerable, upgrade to 6.28(AAXH.3) and later
• WAX Series: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E | all versions up to 7.00 are vulnerable, upgrade to 7.00(ACHF.2) and later
• WBE Series: WBE530, WBE660S | all versions up to 7.00 are vulnerable, upgrade to 7.00(ACLE.2) and later

Zyxel says that security router USG LITE 60AX running V2.00(ACIP.2) is also impacted, but this model is automatically updated by cloud to V2.00(ACIP.3), which implements the patch for CVE-2024-7261.

More Zyxel fixes

Zyxel has also issued security updates for multiple high-severity flaws in APT and USG FLEX firewalls. A summary can be found below:

• CVE-2024-6343: Buffer overflow in the CGI program could lead to DoS by an authenticated admin sending a crafted HTTP request.
• CVE-2024-7203: Post-authentication command injection allows an authenticated admin to execute OS commands via a crafted CLI command.
• CVE-2024-42057: Command injection in IPSec VPN allows an unauthenticated attacker to execute OS commands with a crafted long username in User-Based-PSK mode.
• CVE-2024-42058: Null pointer dereference could cause DoS via crafted packets sent by an unauthenticated attacker.
• CVE-2024-42059: Post-authentication command injection allows an authenticated admin to execute OS commands by uploading a crafted compressed language file via FTP.
• CVE-2024-42060: Post-authentication command injection allows an authenticated admin to execute OS commands by uploading a crafted internal user agreement file.
• CVE-2024-42061: Reflected XSS in “dynamic_script.cgi” could allow an attacker to trick a user into visiting a crafted URL, potentially leaking browser-based information.

The most interesting of the above is CVE-2024-42057 (CVSS v3: 8.1, “high”), which is a command injection vulnerability in the IPSec VPN feature that can be remotely exploited without authentication.