Zyxel has launched software program updates to handle a important safety flaw impacting sure entry level (AP) and safety router variations that might outcome within the execution of unauthorized instructions.
Tracked as CVE-2024-7261 (CVSS rating: 9.8), the vulnerability has been described as a case of working system (OS) command injection.
“The improper neutralization of particular parts within the parameter ‘host’ within the CGI program of some AP and safety router variations may enable an unauthenticated attacker to execute OS instructions by sending a crafted cookie to a susceptible system,” Zyxel stated in an advisory.
Chengchao Ai from the ROIS staff of Fuzhou College has been credited with discovering and reporting the flaw.
Zyxel has additionally shipped updates for seven vulnerabilities in its routers and firewalls, together with few which might be excessive in severity, that might lead to OS command execution, a denial-of-service (DoS), or entry browser-based info –
- CVE-2024-5412 (CVSS rating: 7.5) – A buffer overflow vulnerability within the “libclinkc” library that might enable an unauthenticated attacker to trigger DoS situations by way of a specifically crafted HTTP request
- CVE-2024-6343 (CVSS rating: 4.9) – A buffer overflow vulnerability that might enable an authenticated attacker with administrator privileges to set off DoS situations by way of a specifically crafted HTTP request
- CVE-2024-7203 (CVSS rating: 7.2) – A post-authentication command injection vulnerability that might enable an authenticated attacker with administrator privileges to execute OS instructions
- CVE-2024-42057 (CVSS rating: 8.1) – A command injection vulnerability within the IPSec VPN characteristic that might enable an unauthenticated attacker to execute some OS instructions
- CVE-2024-42058 (CVSS rating: 7.5) – A null pointer dereference vulnerability that might enable an unauthenticated attacker to trigger DoS situations by sending crafted packets
- CVE-2024-42059 (CVSS rating: 7.2) – A post-authentication command injection vulnerability that might enable an authenticated attacker with administrator privileges to execute some OS instructions by importing a crafted compressed language file by way of FTP
- CVE-2024-42060 (CVSS rating: 7.2) – A post-authentication command injection vulnerability in some firewall variations may enable an authenticated attacker with administrator privileges to execute some OS instructions
- CVE-2024-42061 (CVSS rating: 6.1) – A mirrored cross-site scripting (XSS) vulnerability within the CGI program “dynamic_script.cgi” that might enable an attacker to trick a person into visiting a crafted URL with the XSS payload and procure browser-based info
The event comes as D-Hyperlink stated 4 safety vulnerabilities affecting its DIR-846 router, counting two important distant command execution vulnerabilities (CVE-2024-44342, CVSS rating: 9.8) won’t be patched owing to the merchandise reaching end-of-life (EoL) standing of February 2020, urging prospects to switch them with help variations.
