Zyxel made headlines this month with the release of multiple security patches for vulnerabilities found in its firewalls and router devices. One of the most critical vulnerabilities discovered affected Zyxel routers, posing a risk of OS command injection.
Zyxel Routers Vulnerable to Critical OS Command Injection
As per Zyxel’s security advisory, a significant OS command injection vulnerability was identified in various Zyxel routers. Known as CVE-2024-7261, this flaw was described as a vulnerability in certain access points (AP) and security router versions that could potentially allow unauthorized execution of OS commands.
The CVE listing elaborated on the vulnerability and the affected devices, stating,
The vulnerability in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and older, WAC500 firmware version 6.70(ABVS.4) and older, WAX655E firmware version 7.00(ACDO.1) and older, WBE530 firmware version 7.00(ACLE.1) and older, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an attacker to execute OS commands by sending a manipulated cookie to a vulnerable device.
This critical vulnerability was assigned a severity rating of 9.1 according to the CVSS score. Zyxel promptly released security patches in the form of updated firmware versions for affected AP and security router devices, urging users to update their devices to protect against potential exploits.
High-Severity Buffer Overflow Issue Resolved Across Product Line
Simultaneously, Zyxel addressed another significant vulnerability in the form of a high-severity buffer overflow flaw. This vulnerability, identified as CVE-2024-5412, received a CVSS score of 7.5.
The vulnerability impacted various products including 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extenders, and security router devices. It could potentially allow an unauthenticated attacker to initiate a denial of service on the target device through maliciously crafted HTTP requests.
Zyxel provided a comprehensive list of affected products along with the corresponding patched releases in its advisory.
Multiple Security Flaws Mitigated in Zyxel Firewalls
In addition to the above fixes, Zyxel also addressed seven other security vulnerabilities affecting various firewall models. These vulnerabilities included,
- CVE-2024-6343 (medium; CVSS 4.9): a buffer overflow vulnerability in the CGI program that could be exploited by an authenticated adversary with admin privileges to trigger a denial of service.
- CVE-2024-7203 (high; CVSS 7.2): a post-authentication OS command injection vulnerability that could be leveraged by an attacker through malicious CLI commands.
- CVE-2024-42057 (high; CVSS 8.1): An OS command injection vulnerability affecting the IPSec VPN feature of firewalls, enabling attacks from an unauthenticated adversary.
- CVE-2024-42058 (high; CVSS 7.5): a null pointer dereference vulnerability leading to DoS attacks from an unauthenticated adversary.
- CVE-2024-42059 (high; CVSS 7.2): another post-authentication OS command injection vulnerability that could be exploited by an authenticated adversary uploading a crafted compressed language file via FTP.
- CVE-2024-42060 (high; CVSS 7.2): An authenticated attacker could exploit this OS command injection vulnerability by uploading a crafted internal user agreement file to the target device.
- CVE-2024-42061 (medium; CVSS 6.1): a reflected cross-site scripting (XSS) vulnerability in the CGI program
dynamic_script.cgi of firewalls.
The vulnerabilities affected various Zyxel ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN models. Zyxel promptly released patches for all affected devices through software updates, detailed in its advisory. Users are advised to ensure their devices are updated with the latest versions to safeguard against potential security risks.
We would love to hear your thoughts in the comments section below.
