Zyxel has released essential software updates to fix a severe security vulnerability affecting specific access points (APs) and security routers. If left unresolved, this flaw could allow attackers to execute unauthorized commands remotely, posing significant risks to users’ networks.
The vulnerability, identified as CVE-2024-7261 and rated 9.8 on the CVSS scale, involves an operating system (OS) command injection. According to Zyxel’s security advisory, the vulnerability stems from the improper neutralization of special characters in the “host” parameter within the CGI program of affected APs and routers. This flaw could enable an unauthenticated attacker to execute malicious OS commands by sending a crafted cookie to the vulnerable device.
This critical flaw was reported by Chengchao Ai from the ROIS team at Fuzhou University, who discovered and disclosed the vulnerability.
Additional Vulnerabilities Addressed in Zyxel’s Update
In addition to CVE-2024-7261, Zyxel’s latest security updates address several other vulnerabilities in its routers and firewalls, some of which are categorized as high-risk. These vulnerabilities, if exploited, could lead to denial-of-service (DoS), OS command execution, or access to sensitive browser-based information.
Here’s a summary of key vulnerabilities patched:
- CVE-2024-5412 (CVSS score: 7.5): A buffer overflow vulnerability in the “libclinkc” library that could allow an unauthenticated attacker to cause DoS through a crafted HTTP request.
- CVE-2024-6343 (CVSS score: 4.9): A buffer overflow flaw that could allow an authenticated attacker with administrator privileges to trigger DoS conditions through a specially crafted HTTP request.
- CVE-2024-7203 (CVSS score: 7.2): A post-authentication command injection vulnerability that allows authenticated administrators to execute OS commands.
- CVE-2024-42057 (CVSS score: 8.1): A command injection flaw in the IPSec VPN feature, allowing unauthenticated attackers to execute OS commands.
- CVE-2024-42058 (CVSS score: 7.5): A null pointer dereference vulnerability enabling unauthenticated attackers to trigger DoS conditions by sending crafted packets.
- CVE-2024-42059 (CVSS score: 7.2): A post-authentication command injection vulnerability that allows authenticated users with administrative privileges to execute OS commands by uploading a crafted compressed language file via FTP.
- CVE-2024-42060 (CVSS score: 7.2): Another post-authentication command injection vulnerability affecting some firewall versions, allowing authenticated attackers to run OS commands.
- CVE-2024-42061 (CVSS score: 6.1): A reflected cross-site scripting (XSS) vulnerability that could allow attackers to trick users into visiting a malicious URL, enabling the theft of browser-based information.
D-Link Routers Affected by Critical Vulnerabilities
In parallel, D-Link has acknowledged multiple vulnerabilities in its DIR-846 router, including two critical remote command execution flaws (CVE-2024-44342, CVSS score: 9.8). However, these routers will not receive security patches as they reached end-of-life (EoL) in February 2020. Users are strongly urged to replace unsupported models with newer, supported devices to mitigate these risks.
Action Steps: Update Zyxel Devices Immediately
Given the high severity of these vulnerabilities, Zyxel users are strongly advised to apply the latest security patches without delay. Neglecting these updates could expose devices to unauthorized access, data breaches, and disruptions in service. To update, visit the official Zyxel support page and follow their step-by-step instructions for your device model.
Maintaining robust network security requires more than just patching vulnerabilities. Regularly updating device firmware, enabling advanced security settings, and using strong, unique credentials are essential practices in keeping networks secure from emerging cyber threats.
The discovery of vulnerabilities such as CVE-2024-7261 highlights the importance of staying proactive in device security. Zyxel users should promptly install the necessary patches to protect their systems. Users of older, unsupported hardware—like D-Link’s EoL routers—should upgrade to newer, more secure devices to mitigate future risks.
