Zyxel fixed critical OS command injection flaw in multiple routers
September 04, 2024
Taiwanese manufacturer Zyxel addressed a critical OS command injection flaw affecting multiple models of its business routers.
Zyxel has released security updates to address a critical vulnerability, tracked as CVE-2024-7261 (CVSS v3 score of 9.8), impacting multiple models of its business routers.
The flaw is an operating system (OS) command injection issue that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.
An unauthenticated attacker can execute OS commands by sending a specially crafted cookie to a vulnerable device.
“Zyxel has released patches addressing an operating system (OS) command injection vulnerability in some access point (AP) and security router versions.” reads the advisory. “The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”
Below is the list of affected models and related patches:
Chengchao Ai from the ROIS team at Fuzhou University discovered the vulnerability.
Zyxel routers were already targeted by threat actors in the past, in August 2023, a variant of the Gafgyt botnet actively attempted to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8), impacting the end-of-life Zyxel P660HN-T1A router.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, routers)