Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261)
Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices.
CVE-2024-7261
CVE-2024-7261 is an OS command injection vulnerability that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.
Privately reported to Zyxel by Chengchao Ai, from the ROIS team of Fuzhou University, the vulnerability affects:
- Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier
- WAC500 firmware version 6.70(ABVS.4) and earlier
- WAX655E firmware version 7.00(ACDO.1) and earlier
- WBE530 firmware version 7.00(ACLE.1) and earlier, and
- USG LITE 60AX firmware version V2.00(ACIP.2)
Patches for all have been made available, and users are advised to upgrade their devices as soon as possible. Zyxel doesn’t mention any possible workarounds or available mitigations.
Multiple vulnerabilities in Zyxel firewalls
Zyxel has fixed seven vulnerabilities affecting its APT, USG Flex, USG Flex 50(W), and USG20(W)-VPN firewalls / unified security gateways, which are intended for use by small and medium-size businesses, as well as at branch locations.
The list includes four vulnerabilities – leading to DoS or allowing command injection and execution – that can only be exploited if the attacker has admin level privileges and is authenticated (CVE-2024-6343, CVE-2024-7203, CVE-2024-42059, CVE-2024-42060).
The remaining three (CVE-2024-42057, CVE-2024-42058, CVE-2024-42061) could allow an unauthenticated attacker to execute OS commands on an affected device, cause DoS, or to obtain browser-based information after a user is tricked into visiting a crafted URL with the XSS payload.
CVE-2024-5412
A buffer overflow vulnerability (CVE-2024-5412) in the library “libclinkc” of some of Zyxel’s 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices may allow an unauthenticated attacker to trigger a denial of service (DoS) condition by sending a specially crafted HTTP request to a vulnerable device.
Patches are immediately available for a small number of devices, but most of them are available to end users if they contact their local Zyxel support team.
“For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings,” the company advised. “For ISPs, please contact your Zyxel sales or service representatives for further details.”
Halliburton confirms data stolen in recent cyberattack
Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
Free online web security scanner
