Zyxel releases patch multiple flaws, one citical enabling RCE
Take action: This is a big update for ZyXel routers. The critical flaw is the urgent one, especially since it can be exploited with sending a cookie to the router. Review the advisory, and if your routers are on the list, patch ASAP. For the other flaws, not so urgent but still wise to patch.
Learn More
Zyxel has released security updates to address multiple vulnerabilities across its networking devices, including a critical severity flaw
The critical flaw is tracked as CVE-2024-7261 (CVSS score 9.8) is an OS command injection vulnerability that arises from improper neutralization of special elements in the "host" parameter of the CGI program in some Zyxel access points (APs) and security router versions. This flaw allows unauthenticated attackers to execute arbitrary OS commands on vulnerable devices by sending a specially crafted cookie.
-
AP Models:
- NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E
- Affected versions: 7.00(xxx.1) and earlier
- Patch availability: 7.00(xxx.2)
-
NWA1123 Series:
- NWA1123-AC PRO
- Affected version: 6.28(ABHD.0) and earlier
- Patch availability: 6.28(ABHD.3)
- NWA1123ACv3
- Affected version: 6.70(ABVT.4) and earlier
- Patch availability: 6.70(ABVT.5)
-
WAC Series:
- WAC500, WAC500H, WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E
- Affected versions: 6.28/6.70(xxx.x) and earlier
- Patch availability: 6.28/6.70(xxx.x+1)
-
WAX and WBE Models:
- WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E
- Affected versions: 7.00(xxx.1) and earlier
- Patch availability: 7.00(xxx.2)
- WBE530, WBE660S
- Affected versions: 7.00(xxx.1) and earlier
- Patch availability: 7.00(xxx.2)
-
Security Router:
- USG LITE 60AX
- Affected version: V2.00(ACIP.2)
- Patch availability: V2.00(ACIP.3)*
Patches have been released for all affected devices, and Zyxel advises users to update their devices promptly. There are no workarounds or mitigations available for this vulnerability.
Zyxel also addressed seven vulnerabilities in its APT, USG Flex, USG Flex 50(W), and USG20(W)-VPN firewalls and unified security gateways, which are commonly used by small and medium-sized businesses or at branch locations. The vulnerabilities include:
-
Four vulnerabilities - CVE-2024-6343 (CVSS score 4.9), CVE-2024-7203 (CVSS score 7.2), CVE-2024-42059 (CVSS score 7.2), CVE-2024-42060 (CVSS score 7.2) that allow Denial of Service (DoS) attacks or OS command injection and execution.
- Can only be exploited by attackers with admin-level privileges who are authenticated.
-
Three vulnerabilities - CVE-2024-42057 (CVSS score 8.1), CVE-2024-42058 (CVSS score 7.5), CVE-2024-42061 (CVSS score 6.1) that llow unauthenticated attackers to execute OS commands, cause DoS, or obtain browser-based information through a crafted URL with an XSS payload.
- One vulnerability - CVE-2024-5412 (CVSS score 7.5) is a buffer overflow vulnerability in the "libclinkc" library affects some Zyxel 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices. This flaw (CVE-2024-5412) could allow an unauthenticated attacker to trigger a Denial of Service (DoS) condition by sending a specially crafted HTTP request to a vulnerable device.
Patches are available for a limited number of devices, while others require users to contact their local Zyxel support team for the update. Zyxel advises end-users who obtained devices from an ISP to reach out to their ISP's support team for assistance.
