CVE-2024-7261

Name of the Vulnerable Software and Affected Versions Zyxel NWA1123ACv3 versions 6.70(ABVT.4) and earlier Zyxel WAC500 versions 6.70(ABVS.4) and earlier Zyxel WAX655E versions 7.00(ACDO.1) and earlier Zyxel WBE530 versions 7.00(ACLE.1) and earlier Zyxel USG LITE 60AX version V2.00(ACIP.2)

Description The vulnerability exists due to the improper neutralization of special elements in the host parameter in the CGI program, allowing an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. This issue can be exploited remotely and may allow attackers to execute arbitrary commands on the host operating system.

Recommendations For Zyxel NWA1123ACv3 versions 6.70(ABVT.4) and earlier, update to the latest firmware version. For Zyxel WAC500 versions 6.70(ABVS.4) and earlier, update to the latest firmware version. For Zyxel WAX655E versions 7.00(ACDO.1) and earlier, update to the latest firmware version. For Zyxel WBE530 versions 7.00(ACLE.1) and earlier, update to the latest firmware version. For Zyxel USG LITE 60AX version V2.00(ACIP.2), update to the latest firmware version. As a temporary workaround, consider restricting access to the vulnerable CGI program until a patch is available.