Main Vulnerability Database SB2024090324

SB2024090324 - OS Command Injection in Zyxel APs and security router devices

Published: September 3, 2024

Security Bulletin ID SB2024090324

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2024-7261)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper neutralization of special elements in the "host" parameter in the CGI program. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024

Vulnerable Software

NWA50AX: 7.00(ABYW.1) and previous versions
NWA50AX PRO: 7.00(ACGE.1) and previous versions
NWA55AXE: 7.00(ABZL.1) and previous versions
NWA90AX: 7.00(ACCV.1) and previous versions
NWA90AX PRO: 7.00(ACGF.1) and previous versions
NWA110AX: 7.00(ABTG.1) and previous versions
NWA130BE: 7.00(ACIL.1) and previous versions
NWA210AX: 7.00(ABTD.1) and previous versions
NWA220AX-6E: 7.00(ACCO.1) and previous versions
NWA1123-AC PRO: 6.28(ABHD.0) and previous versions
NWA1123ACv3: 6.70(ABVT.4) and previous versions
WAC500: 6.70(ABVS.4) and previous versions
WAC500H: 6.70(ABWA.4) and previous versions
WAC6103D-I: 6.28(AAXH.0) and previous versions
WAC6502D-S: 6.28(AASE.0) and previous versions
WAC6503D-S: 6.28(AASF.0) and previous versions
WAC6552D-S: 6.28(ABIO.0) and previous versions
WAC6553D-E: 6.28(AASG.2) and previous versions
WAX300H: 7.00(ACHF.1) and previous versions
WAX510D: 7.00(ABTF.1) and previous versions
WAX610D: 7.00(ABTE.1) and previous versions
WAX620D-6E: 7.00(ACCN.1) and previous versions
WAX630S: 7.00(ABZD.1) and previous versions
WAX640S-6E: 7.00(ACCM.1) and previous versions
WAX650S: 7.00(ABRM.1) and previous versions
WAX655E: 7.00(ACDO.1) and previous versions
WBE530: 7.00(ACLE.1) and previous versions
WBE660S: 7.00(ACGG.1) and previous versions
USG LITE 60AX: 2.00(ACIP.2)

SB2024090324 - OS Command Injection in Zyxel APs and security router devices

Breakdown by Severity

Description

Remediation

References

Please verify you're human