Security News > 2024 > September > Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261)
2024-09-03 12:47
Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices. CVE-2024-7261 CVE-2024-7261 is an OS command injection vulnerability that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security … More → The post Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261) appeared first on Help Net Security.
News URL
https://www.helpnetsecurity.com/2024/09/03/cve-2024-7261/
Related news
- Zyxel warns of critical OS command injection flaw in routers (source)
- Zyxel Patches Critical OS Command Injection Flaw in Access Points and Routers (source)
- Zyxel fixes critical command injection flaw in EOL NAS devices (CVE-2024-6342) (source)
- Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856) (source)
- Critical 1Password flaws may allow hackers to snatch your passwords (CVE-2024-42219, CVE-2024-42218) (source)
- Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986) (source)
- Critical GitHub Enterprise Server auth bypass flaw fixed (CVE-2024-6800) (source)
- Another critical SolarWinds Web Help Desk bug fixed (CVE-2024-28987) (source)
- SonicWall patches critical flaw affecting its firewalls (CVE-2024-40766) (source)
- Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-03 | CVE-2024-7261 | OS Command Injection vulnerability in Zyxel products The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. | 9.8 |