CVE-2024-7261OS Command Injection in Zyxel Nwa110ax Firmware

CWE-78OS Command Injection4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
27.9%
top 3.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
29
Zyxel Nwa110ax FirmwareZyxel Nwa1123-ac PRO FirmwareZyxel Nwa1123acv3 Firmware+26 more
Timeline
PublishedSep 3

Description

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages34 packages

NVDzyxel/usg_lite_60ax_firmware< v2.00\(acip.3\)
CVEListV5zyxel/usg_lite_60ax_firmwareV2.00(ACIP.2)
NVDzyxel/wac500_firmware< 6.70\(abvs.5\)
NVDzyxel/wbe530_firmware< 7.00\(acle.2\)
NVDzyxel/wac500h_firmware< 6.70\(abwa.5\)

🔴Vulnerability Details

2
GHSA
GHSA-4c9r-w43c-8v76: The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 62024-09-03
CVEList
CVE-2024-7261: The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 62024-09-03

🕵️Threat Intelligence

1
Bleepingcomputer
Zyxel warns of critical OS command injection flaw in routers2024-09-03
CVE-2024-7261 — OS Command Injection in Zyxel | cvebase