close
close

Zyxel warns of security flaws in a wide range of its products

Zyxel warns of security flaws in a wide range of its products

Getty photos

Networking equipment maker Zyxel is warning of nearly a dozen vulnerabilities across a wide range of its products. If left unpatched, some could allow for complete takeover of devices that could be targeted as an initial entry point into large networks.

The most severe flaw, tracked as CVE-2024-7261, can be exploited to “allow an unauthenticated attacker to execute operating system commands by sending a crafted cookie to a vulnerable device,” Zyxel warns. The flaw, rated 9.8 out of 10, is due to “improper neutralization of special elements in the ‘host’ parameter in the CGI program” of vulnerable access points and security routers. Nearly 30 Zyxel devices are affected. As with the other vulnerabilities described in this post, Zyxel is urging customers to patch it as soon as possible.

But wait… there’s something else

The hardware maker has warned of seven additional vulnerabilities affecting a series of firewalls, including ATP, USG-FLEX, and USG FLEX 50(W)/USG20(W)-VPN. The vulnerabilities have severity ratings ranging from 4.9 to 8.1. The vulnerabilities are:

CVE-2024-6343: A buffer overflow vulnerability in CGI could allow an authenticated attacker with administrative privileges to cause a denial of service by sending crafted HTTP requests.

CVE-2024-7203: A post-authentication command injection vulnerability could allow an authenticated attacker with administrative privileges to run operating system commands by executing a crafted CLI command.

CVE-2024-42057: A command injection vulnerability in the IPSec VPN feature could allow an unauthenticated attacker to execute operating system commands by sending a crafted username. The attack would only be successful if the device was configured in User-Based-PSK authentication mode and there was a valid user with a long username exceeding 28 characters.

CVE-2024-42058: A null pointer dereference vulnerability in some versions of network firewalls could allow an unauthenticated attacker to conduct DoS attacks by sending modified packets.

CVE-2024-42059: A post-authentication command injection vulnerability could allow an authenticated attacker with administrative privileges to run operating system commands on an affected device by uploading a specially crafted compressed language file via FTP.

CVE-2024-42060: A post-authentication command injection vulnerability could allow an authenticated attacker with administrative privileges to execute operating system commands by uploading a specially crafted internal user agreement file to a vulnerable device.

CVE-2024-42061: A reflected cross-site scripting vulnerability in the CGI program “dynamic_script.cgi” could allow an attacker to trick a user into visiting a crafted URL with an XSS payload. The attacker could obtain browser-based information if the malicious script is executed in the victim’s browser.

The remaining vulnerability is CVE-2024-5412 with a severity level of 7.5. It affects 50 Zyxel product models, including customer premises equipment, fiber optic network terminals, and security routers. A buffer overflow vulnerability in the “libclinkc” library of the affected devices could allow an unauthenticated attacker to cause denial of service attacks by sending a crafted HTTP request.

In recent years, Zyxel devices have been regularly subjected to active attacks due to security vulnerabilities. Many patches are available for download via links listed in the warnings. In a small number of cases, patches are available in the cloud. Patches for some products are only available by contacting the company’s support team privately.