Zyxel has issued a series of critical software updates to remediate a significant security vulnerability affecting numerous models of its access points and security routers. The flaw, logged as CVE-2024-7261 and assigned a high CVSS score of 9.8, is categorized as an operating system command injection vulnerability and poses a serious risk to devices that lack proper safeguards against unauthorized command execution.
The potential exploit arises from the inadequate filtering of special characters within the “host” parameter of the CGI program utilized by certain Zyxel devices. This loophole allows unauthenticated attackers to execute arbitrary commands by sending specially crafted cookies to compromised devices. Zyxel acknowledged the issue in an advisory, emphasizing the need for prompt remediation to avoid exploitation.
The vulnerability was uncovered by Chengchao Ai, a researcher from the ROIS team at Fuzhou University, who recognized the potential risks and responsibly disclosed the findings to Zyxel. The company’s quick action reflects its commitment to maintaining the integrity and security of its product offerings.
In addition to addressing the command injection flaw, Zyxel has rolled out updates for a total of eight vulnerabilities across its router and firewall products. Among these security concerns are several critical vulnerabilities that could lead to unauthorized command execution, denial-of-service (DoS) conditions, or even access to sensitive browser-based information. For instance, a particular buffer overflow vulnerability tied to the “libclinkc” library, identified as CVE-2024-5412, could be exploited by unauthorized individuals via crafted HTTP requests.
Other vulnerabilities include post-authentication command injection concerns—such as CVE-2024-7203 and CVE-2024-42059—where an authenticated administrator could leverage these flaws to execute system commands illicitly. Furthermore, two separate command injection vulnerabilities in the IPSec VPN feature (CVE-2024-42057) could permit an unauthenticated attacker to run OS commands. These vulnerabilities underscore how critical it is for organizations to implement security updates immediately.
Zyxel’s proactive measures come amid similar challenges facing other manufacturers in the industry. D-Link, for example, acknowledged ongoing risks linked to four vulnerabilities in its DIR-846 router, including two severe remote command execution flaws with an equally high CVSS score. The company stated that due to the product reaching its end-of-life status in February 2020, no patches would be developed, urging users to transition to supported devices.
These incidents collectively highlight the necessity for business owners to remain vigilant in the face of evolving cybersecurity threats. The potential tactics associated with these vulnerabilities align with facets of the MITRE ATT&CK framework, notably in areas such as initial access, persistence, and privilege escalation. As attackers exploit vulnerabilities to elevate their permissions and execute unauthorized commands, the imperative for robust cybersecurity practices becomes ever more pressing.
In light of these developments, organizations relying on Zyxel and similar devices should prioritize immediate software updates and engage in comprehensive security audits to mitigate authorized access risks. By staying informed and proactive, businesses can better safeguard themselves against the damaging consequences of cyber threats.