Security News > 2024 > September > Zyxel Patches Critical OS Command Injection Flaw in Access Points and Routers
2024-09-04 11:27
Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands. Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection. "The improper neutralization of special elements in the
News URL
https://thehackernews.com/2024/09/zyxel-patches-critical-os-command.html
Related news
- Zyxel warns of critical OS command injection flaw in routers (source)
- Critical flaw in Zyxel’s secure routers allows OS command execution via cookie (CVE-2024-7261) (source)
- Zyxel fixes critical command injection flaw in EOL NAS devices (CVE-2024-6342) (source)
- D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-03 | CVE-2024-7261 | OS Command Injection vulnerability in Zyxel products The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. | 9.8 |