Zyxel Patches Critical OS Command Injection Flaw in Access Points and Routers

Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands.

Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection.

“The improper neutralization of special elements in the parameter ‘host’ in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel said in an advisory.

Chengchao Ai from the ROIS team of Fuzhou University has been credited with discovering and reporting the flaw.

Zyxel has also shipped updates for eight vulnerabilities in its routers and firewalls, including few that are high in severity, that could result in OS command execution, a denial-of-service (DoS), or access browser-based information -

• CVE-2024-5412 (CVSS score: 7.5) - A buffer overflow vulnerability in the “libclinkc” library that could allow an unauthenticated attacker to cause DoS conditions by means of a specially crafted HTTP request
• CVE-2024-6343 (CVSS score: 4.9) - A buffer overflow vulnerability that could allow an authenticated attacker with administrator privileges to trigger DoS conditions by means of a specially crafted HTTP request
• CVE-2024-7203 (CVSS score: 7.2) - A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to execute OS commands
• CVE-2024-42057 (CVSS score: 8.1) - A command injection vulnerability in the IPSec VPN feature that could allow an unauthenticated attacker to execute some OS commands
• CVE-2024-42058 (CVSS score: 7.5) - A null pointer dereference vulnerability that could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets
• CVE-2024-42059 (CVSS score: 7.2) - A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to execute some OS commands by uploading a crafted compressed language file via FTP
• CVE-2024-42060 (CVSS score: 7.2) - A post-authentication command injection vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to execute some OS commands
• CVE-2024-42061 (CVSS score: 6.1) - A reflected cross-site scripting (XSS) vulnerability in the CGI program “dynamic_script.cgi” that could allow an attacker to trick a user into visiting a crafted URL with the XSS payload and obtain browser-based information

The development comes as D-Link said four security vulnerabilities affecting its DIR-846 router, counting two critical remote command execution vulnerabilities (CVE-2024-44342, CVSS score: 9.8) will not be patched owing to the products reaching end-of-life (EoL) status of February 2020, urging customers to replace them with support versions.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.