Zyxel fixed critical OS command injection flaw in multiple routers

Pierluigi Paganini September 04, 2024

Taiwanese manufacturer Zyxel addressed a critical OS command injection flaw affecting multiple models of its business routers.

Zyxel has released security updates to address a critical vulnerability, tracked as  (CVSS v3 score of 9.8), impacting multiple models of its business routers.

The flaw is an operating system (OS) command injection issue that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.

An unauthenticated attacker can execute OS commands by sending a specially crafted cookie to a vulnerable device.

“Zyxel has released patches addressing an operating system (OS) command injection vulnerability in some access point (AP) and security router versions.” reads the . “The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”

Below is the list of affected models and related patches:

ProductAffected modelAffected versionPatch availability
APNWA50AX7.00(ABYW.1) and earlier
NWA50AX PRO7.00(ACGE.1) and earlier
NWA55AXE7.00(ABZL.1) and earlier
NWA90AX7.00(ACCV.1) and earlier
NWA90AX PRO7.00(ACGF.1) and earlier
NWA110AX7.00(ABTG.1) and earlier
NWA130BE7.00(ACIL.1) and earlier
NWA210AX7.00(ABTD.1) and earlier
NWA220AX-6E7.00(ACCO.1) and earlier
NWA1123-AC PRO6.28(ABHD.0) and earlier
NWA1123ACv36.70(ABVT.4) and earlier
WAC5006.70(ABVS.4) and earlier
WAC500H6.70(ABWA.4) and earlier
WAC6103D-I6.28(AAXH.0) and earlier
WAC6502D-S6.28(AASE.0) and earlier
WAC6503D-S6.28(AASF.0) and earlier
WAC6552D-S6.28(ABIO.0) and earlier
WAC6553D-E6.28(AASG.2) and earlier
WAX300H7.00(ACHF.1) and earlier
WAX510D7.00(ABTF.1) and earlier
WAX610D7.00(ABTE.1) and earlier
WAX620D-6E7.00(ACCN.1) and earlier
WAX630S7.00(ABZD.1) and earlier
WAX640S-6E7.00(ACCM.1) and earlier
WAX650S7.00(ABRM.1) and earlier
WAX655E7.00(ACDO.1) and earlier
WBE5307.00(ACLE.1) and earlier
WBE660S7.00(ACGG.1) and earlier
Security routerUSG LITE 60AXV2.00(ACIP.2)V2.00(ACIP.3)*

Chengchao Ai from the ROIS team at Fuzhou University discovered the vulnerability.

Zyxel routers were already targeted by threat actors in the past, in August 2023, a variant of the Gafgyt botnet actively attempted to exploit a vulnerability, tracked as  (CVSS v3: 9.8), impacting the end-of-life Zyxel P660HN-T1A router.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, routers)



you might also like

leave a comment