Zyxel has launched software program updates to deal with a crucial safety flaw impacting sure entry level (AP) and safety router variations that might outcome within the execution of unauthorized instructions.
Tracked as CVE-2024-7261 (CVSS rating: 9.8), the vulnerability has been described as a case of working system (OS) command injection.
“The improper neutralization of particular parts within the parameter ‘host’ within the CGI program of some AP and safety router variations may enable an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a weak system,” Zyxel stated in an advisory.
Chengchao Ai from the ROIS staff of Fuzhou College has been credited with discovering and reporting the flaw.
Zyxel has additionally shipped updates for seven vulnerabilities in its routers and firewalls, together with few which can be excessive in severity, that might end in OS command execution, a denial-of-service (DoS), or entry browser-based data –
- CVE-2024-5412 (CVSS rating: 7.5) – A buffer overflow vulnerability within the “libclinkc” library that might enable an unauthenticated attacker to trigger DoS situations by the use of a specifically crafted HTTP request
- CVE-2024-6343 (CVSS rating: 4.9) – A buffer overflow vulnerability that might enable an authenticated attacker with administrator privileges to set off DoS situations by the use of a specifically crafted HTTP request
- CVE-2024-7203 (CVSS rating: 7.2) – A post-authentication command injection vulnerability that might enable an authenticated attacker with administrator privileges to execute OS instructions
- CVE-2024-42057 (CVSS rating: 8.1) – A command injection vulnerability within the IPSec VPN function that might enable an unauthenticated attacker to execute some OS instructions
- CVE-2024-42058 (CVSS rating: 7.5) – A null pointer dereference vulnerability that might enable an unauthenticated attacker to trigger DoS situations by sending crafted packets
- CVE-2024-42059 (CVSS rating: 7.2) – A post-authentication command injection vulnerability that might enable an authenticated attacker with administrator privileges to execute some OS instructions by importing a crafted compressed language file by way of FTP
- CVE-2024-42060 (CVSS rating: 7.2) – A post-authentication command injection vulnerability in some firewall variations may enable an authenticated attacker with administrator privileges to execute some OS instructions
- CVE-2024-42061 (CVSS rating: 6.1) – A mirrored cross-site scripting (XSS) vulnerability within the CGI program “dynamic_script.cgi” that might enable an attacker to trick a consumer into visiting a crafted URL with the XSS payload and procure browser-based data
The event comes as D-Hyperlink stated 4 safety vulnerabilities affecting its DIR-846 router, counting two crucial distant command execution vulnerabilities (CVE-2024-44342, CVSS rating: 9.8) is not going to be patched owing to the merchandise reaching end-of-life (EoL) standing of February 2020, urging clients to interchange them with assist variations.