Security News > 2022 > May > Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability
Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution.
"A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device," the company said in an advisory published Thursday.
Rapid 7 noted that there are at least 16,213 vulnerable Zyxel devices exposed to the internet, making it a lucrative attack vector for threat actors to stage potential exploitation attempts.
The cybersecurity firm also pointed out that Zyxel silently issued fixes to address the issue on April 28, 2022 without publishing an associated Common Vulnerabilities and Exposures identifier or a security advisory.
"Silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues," Rapid7 researcher Jake Baines said.
The advisory comes as Zyxel addressed three different issues, including a command injection, a buffer overflow, and a local privilege escalation flaw, in its VMG3312-T20A wireless router and AP Configurator that could lead to arbitrary code execution.
News URL
https://thehackernews.com/2022/05/zyxel-releases-patch-for-critical.html
Related news
- Microsoft waited 6 months to patch actively exploited admin-to-kernel vulnerability (source)
- March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Critical Unpatched Ray AI Platform Vulnerability Exploited for Cryptocurrency Mining (source)
- Critical Rust flaw enables Windows command injection attacks (source)
- Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks (source)
- Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib (source)