Zyxel, a prominent networking equipment manufacturer, has recently released critical security patches addressing a severe vulnerability affecting several of its business router models. This vulnerability, identified as CVE-2024-7261, could potentially allow unauthenticated attackers to execute arbitrary commands on affected devices. The discovery and subsequent patching of this flaw underscore the ongoing importance of vigilant cybersecurity measures in network infrastructure.
Understanding the Critical Vulnerability
The vulnerability, CVE-2024-7261, has been assigned a CVSS score of 9.8, categorizing it as critical. This high-severity flaw stems from improper handling of user-provided data, specifically in the CGI program’s host parameter. Exploiting this vulnerability could allow remote attackers to execute arbitrary commands on the host operating system, potentially compromising the entire network.
Zyxel’s security advisory explains that the vulnerability arises from “incorrect neutralization of special elements in the host parameter” in certain access point and router models. This flaw enables unauthorized attackers to execute commands by sending specially crafted cookies to vulnerable devices.
Affected Devices and Mitigation
The critical vulnerability impacts several Zyxel business router models, including:
- USG FLEX 100(W)
- USG FLEX 200
- USG FLEX 500
- USG FLEX 700
- ATP series
Zyxel has also noted that USG LITE 60AX routers running firmware version V2.00(ACIP.2) are affected. However, these devices will automatically update through the cloud to version V2.00(ACIP.3), which includes the patch for CVE-2024-7261.
Additional Security Updates
In addition to addressing the critical vulnerability, Zyxel has patched seven other security flaws affecting various firewall series, including ATP, USG-FLEX, and USG FLEX 50(W)/USG20(W)-VPN. These vulnerabilities range from medium to high severity and address issues such as command injection, cross-site scripting (XSS), and information disclosure.
Furthermore, Zyxel identified and patched a buffer overflow vulnerability (CVE-2024-5412) with a CVSS score of 7.5 in the libclinkc library. This flaw affects 50 Zyxel products, including customer premises equipment, fiber terminals, and routers. If exploited, it could allow unauthorized attackers to conduct denial-of-service (DoS) attacks by sending modified HTTP requests.
The comprehensive nature of these security updates highlights Zyxel’s commitment to addressing vulnerabilities across its product line. Network administrators and IT professionals managing Zyxel devices should prioritize applying these patches to mitigate potential security risks. Regular firmware updates and security assessments remain crucial in maintaining a robust cybersecurity posture for network infrastructure.