Security News > 2024 > September > Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261)

Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices. CVE-2024-7261 CVE-2024-7261 is an OS command injection vulnerability that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security … More → The post Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261) appeared first on Help Net Security.
News URL
https://www.helpnetsecurity.com/2024/09/03/cve-2024-7261/
Related news
- Netgear warns users to patch critical WiFi router vulnerabilities (source)
- Zyxel won’t patch newly exploited flaws in end-of-life routers (source)
- Swap EOL Zyxel routers, upgrade Netgear ones! (source)
- Juniper patches critical auth bypass in Session Smart routers (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) (source)
- CrushFTP CEO's feisty response to VulnCheck's CVE for critical make-me-admin bug (source)
- Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-09-03 | CVE-2024-7261 | OS Command Injection vulnerability in Zyxel products The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. | 9.8 |