[German]Zyxel has released security updates to close a critical vulnerability in several of its business routers. These vulnerabilities, rated with a CVSS v3 score of 9.8, may allow unauthenticated attackers to inject operating system commands. Updates are available to close the vulnerabilities.
Advertising
A Swiss blog reader pointed out to me (thanks for that) that Zyxel has published new security advisories in its global support center.
- Zyxel security advisory for OS command injection vulnerability in APs and security router devices
- Zyxel security advisory for multiple vulnerabilities in firewalls
- Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices
Vulnerability CVE-2024-7261 exists due to improper neutralization of special elements in the "host" parameter in the CGI program of some AP and security router versions. This could allow an unauthenticated attacker to execute operating system commands by sending a manipulated cookie to a vulnerable device.
The vulnerability CVE-2024-7261 has been assigned a CVSS v3 score of 9.8 ("critical") and Zyxel has released firmware updates to close the vulnerabilities. Details on affected devices and the remaining vulnerabilities as well as a list of available patches can be found in the security advisories linked above. Bleeping Computer has here an article about the vulnerability.
Advertising
