Business routers vulnerable to OS command injection attack

Make sure to apply the patch immediately

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Multiplebusiness routermodels, built by the Taiwanese networking giant Zyxel, carried a critical vulnerability which allowed malicious actors to run any command, remotely. The manufacturer recently released a fix which addresses the flaw, so installing it straight away is highly recommended.

As the company explained in an advisory, the vulnerability is described as an “input validation fault caused by improper handling of user-supplied data.” In other words, the underlying OS does not validate the data a user inputs, potentially allowing crooks to run OS command injection. The bug is tracked asCVE-2024-7261, and carries a severity score of 9.8/10 - critical.

“The improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel said in the advisory.

Numerous devices affected

Multiple Zyxel access points (AP) are vulnerable to the flaw. The full list is below:

Security router USG LITE 60AX running V2.00(ACIP.2) is also vulnerable, but this device is automatically patched, so users should be safe. In any case, if you’re using this model make sure it’s running version V2.00(ACIP.3).

Zyxel is a popular manufacturer of networking devices, with its routers, switches, and wireless access points being used by thousands of organizations worldwide. As such, it is a popular target among cybercriminals, who are always on the hunt for a new vulnerability to exploit. Zyxel customers are advised toapply the patchas soon as possible and thus secure their premises.

ViaBleepingComputer

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

3 reasons why PIA fell in our best VPN rankings

Is it still worth using Proton VPN Free?

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time