CVE-2024-7261: OS Command Injection
First published: Tue Sep 03 2024(Updated: )
The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.
Credit: security@zyxel.com.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Zyxel NWA110AX | <7.00\(abtg.2\) | |
| Zyxel NWA110AX firmware | ||
| All of | ||
| Zyxel NWA1123-AC-PRO Firmware | <6.28\(abhd.3\) | |
| Zyxel NWA1123-AC-PRO Firmware | ||
| All of | ||
| Zyxel NWA1123-AC PRO firmware | <6.70\(abvt.5\) | |
| Zyxel NWA1123-AC PRO firmware | ||
| All of | ||
| Zyxel NWA130BE Firmware | <7.00\(acil.2\) | |
| Zyxel NWA130BE Firmware | ||
| All of | ||
| Zyxel NWA210AX | <7.00\(abtd.2\) | |
| Zyxel NWA210AX Firmware | ||
| All of | ||
| Zyxel NWA220AX-6E Firmware | <7.00\(acco.2\) | |
| Zyxel NWA220AX-6E Firmware | ||
| All of | ||
| Zyxel NWA50AX-Pro firmware | <7.00\(abyw.2\) | |
| Zyxel NWA50AX-PRO | ||
| All of | ||
| Zyxel NWA50AX-PRO | <7.00\(acge.2\) | |
| Zyxel NWA50AX-PRO | ||
| All of | ||
| Zyxel NWA55AXE Firmware | <7.00\(abzl.2\) | |
| Zyxel NWA55AXE Firmware | ||
| All of | ||
| Zyxel NWA90AX Pro Firmware | <7.00\(accv.2\) | |
| Zyxel NWA90AX Firmware | ||
| All of | ||
| Zyxel NWA90AX-PRO Firmware | <7.00\(acgf.2\) | |
| Zyxel NWA90AX Pro Firmware | ||
| All of | ||
| Zyxel USG LITE 60AX firmware | <v2.00\(acip.3\) | |
| Zyxel USG LITE 60AX firmware | ||
| All of | ||
| Zyxel WAC500H Firmware | <6.70\(abvs.5\) | |
| Zyxel WAC500 firmware | ||
| All of | ||
| Zyxel WAC500H Firmware | <6.70\(abwa.5\) | |
| Zyxel WAC500H Firmware | ||
| All of | ||
| Zyxel WAC6103D-I | <6.28\(aaxh.3\) | |
| Zyxel WAC6103D-I Firmware | ||
| All of | ||
| Zyxel WAC6502D-S | <6.28\(aase.3\) | |
| Zyxel WAC6502D-S Firmware | ||
| All of | ||
| Zyxel WAC6503D-S Firmware | <6.28\(aasf.3\) | |
| Zyxel WAC6503D-S Firmware | ||
| All of | ||
| Zyxel WAC6552D-S Firmware | <6.28\(abio.3\) | |
| Zyxel WAC6552D-S Firmware | ||
| All of | ||
| Zyxel WAC6553D-E | <6.28\(aasg.3\) | |
| Zyxel WAC6553D-E | ||
| All of | ||
| Zyxel WAX300H | <7.00\(achf.2\) | |
| Zyxel WAX300H firmware | ||
| All of | ||
| Zyxel WAX510D firmware | <7.00\(abtf.2\) | |
| Zyxel WAX510D firmware | ||
| All of | ||
| Zyxel WAX610D | <7.00\(abte.2\) | |
| Zyxel WAX610D Firmware | ||
| All of | ||
| Zyxel WAX620D-6E | <7.00\(accn.2\) | |
| Zyxel WAX620D-6E Firmware | ||
| All of | ||
| Zyxel WAX630S Firmware | <7.00\(abzd.2\) | |
| Zyxel WAX630S Firmware | ||
| All of | ||
| Zyxel WAX640S-6E | <7.00\(accm.2\) | |
| Zyxel WAX640S-6E Firmware | ||
| All of | ||
| Zyxel WAX650S Firmware | <7.00\(abrm.2\) | |
| Zyxel WAX650S Firmware | ||
| All of | ||
| Zyxel WAX655E Firmware | <7.00\(acdo.2\) | |
| Zyxel WAX655E Firmware | ||
| All of | ||
| Zyxel WBE530 Firmware | <7.00\(acle.2\) | |
| Zyxel WBE530 firmware | ||
| All of | ||
| Zyxel WBE660S firmware | <7.00\(acgg.2\) | |
| Zyxel WBE660S firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-7261?
CVE-2024-7261 is classified as a critical vulnerability due to its potential for remote code execution.
How do I fix CVE-2024-7261?
To fix CVE-2024-7261, update the affected Zyxel firmware to the latest version that addresses this vulnerability.
Which devices are affected by CVE-2024-7261?
CVE-2024-7261 affects multiple Zyxel devices including NWA1123ACv3, WAC500, WAX655E, and several others running specified firmware versions.
What types of vulnerabilities does CVE-2024-7261 involve?
CVE-2024-7261 involves improper neutralization of special elements in the "host" parameter, leading to OS command injection.
When was CVE-2024-7261 discovered?
CVE-2024-7261 was publicly disclosed in March 2024, revealing critical security flaws in various Zyxel networking devices.
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-7261
- alias/CVE-2024-42057
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/zyxel
- canonical/zyxel nwa110ax
- canonical/zyxel nwa110ax firmware
- canonical/zyxel nwa1123-ac-pro firmware
- canonical/zyxel nwa1123-ac pro firmware
- canonical/zyxel nwa130be firmware
- canonical/zyxel nwa210ax
- canonical/zyxel nwa210ax firmware
- canonical/zyxel nwa220ax-6e firmware
- canonical/zyxel nwa50ax-pro firmware
- canonical/zyxel nwa50ax-pro
- canonical/zyxel nwa55axe firmware
- canonical/zyxel nwa90ax pro firmware
- canonical/zyxel nwa90ax firmware
- canonical/zyxel nwa90ax-pro firmware
- canonical/zyxel usg lite 60ax firmware
- canonical/zyxel wac500h firmware
- canonical/zyxel wac500 firmware
- canonical/zyxel wac6103d-i
- canonical/zyxel wac6103d-i firmware
- canonical/zyxel wac6502d-s
- canonical/zyxel wac6502d-s firmware
- canonical/zyxel wac6503d-s firmware
- canonical/zyxel wac6552d-s firmware
- canonical/zyxel wac6553d-e
- canonical/zyxel wax300h
- canonical/zyxel wax300h firmware
- canonical/zyxel wax510d firmware
- canonical/zyxel wax610d
- canonical/zyxel wax610d firmware
- canonical/zyxel wax620d-6e
- canonical/zyxel wax620d-6e firmware
- canonical/zyxel wax630s firmware
- canonical/zyxel wax640s-6e
- canonical/zyxel wax640s-6e firmware
- canonical/zyxel wax650s firmware
- canonical/zyxel wax655e firmware
- canonical/zyxel wbe530 firmware
- canonical/zyxel wbe660s firmware