Zyxel has launched software program updates to handle a important security flaw impacting sure entry level (AP) and security router variations that would consequence within the execution of unauthorized instructions.
Tracked as CVE-2024-7261 (CVSS rating: 9.8), the vulnerability has been described as a case of working system (OS) command injection.
“The improper neutralization of particular components within the parameter ‘host’ within the CGI program of some AP and security router variations might permit an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a weak gadget,” Zyxel stated in an advisory.
Chengchao Ai from the ROIS group of Fuzhou College has been credited with discovering and reporting the flaw.
Zyxel has additionally shipped updates for seven vulnerabilities in its routers and firewalls, together with few which might be excessive in severity, that would end in OS command execution, a denial-of-service (DoS), or entry browser-based info –
- CVE-2024-5412 (CVSS rating: 7.5) – A buffer overflow vulnerability within the “libclinkc” library that would permit an unauthenticated attacker to trigger DoS situations by the use of a specifically crafted HTTP request
- CVE-2024-6343 (CVSS rating: 4.9) – A buffer overflow vulnerability that would permit an authenticated attacker with administrator privileges to set off DoS situations by the use of a specifically crafted HTTP request
- CVE-2024-7203 (CVSS rating: 7.2) – A post-authentication command injection vulnerability that would permit an authenticated attacker with administrator privileges to execute OS instructions
- CVE-2024-42057 (CVSS rating: 8.1) – A command injection vulnerability within the IPSec VPN function that would permit an unauthenticated attacker to execute some OS instructions
- CVE-2024-42058 (CVSS rating: 7.5) – A null pointer dereference vulnerability that would permit an unauthenticated attacker to trigger DoS situations by sending crafted packets
- CVE-2024-42059 (CVSS rating: 7.2) – A post-authentication command injection vulnerability that would permit an authenticated attacker with administrator privileges to execute some OS instructions by importing a crafted compressed language file through FTP
- CVE-2024-42060 (CVSS rating: 7.2) – A post-authentication command injection vulnerability in some firewall variations might permit an authenticated attacker with administrator privileges to execute some OS instructions
- CVE-2024-42061 (CVSS rating: 6.1) – A mirrored cross-site scripting (XSS) vulnerability within the CGI program “dynamic_script.cgi” that would permit an attacker to trick a person into visiting a crafted URL with the XSS payload and procure browser-based info
The event comes as D-Hyperlink stated 4 security vulnerabilities affecting its DIR-846 router, counting two important distant command execution vulnerabilities (CVE-2024-44342, CVSS rating: 9.8) won’t be patched owing to the merchandise reaching end-of-life (EoL) standing of February 2020, urging prospects to interchange them with assist variations.
