Fixes have been released by Zyxel for numerous vulnerabilities affecting several of its router and firewall offerings, the most severe of which was a critical input validation issue, tracked as CVE-2024-7261, which could be leveraged to enable remote arbitrary command execution, BleepingComputer reports.
Multiple Zyxel NWA Series, NWA1123-AC PRO, NWA1123ACv3, WAC500, WAC500H, WAC Series, WAX Series, and WBE Series access points are impacted by the flaw, which stems from improper user-supplied data management, according to Zyxel. "The improper neutralization of special elements in the parameter "host" in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device," said Zyxel. Seven other high-severity APT and USG FLEX firewall bugs have also been addressed by Zyxel, the most serious of which was the command injection flaw in the IPSec VPN functionality, tracked as CVE-2024-42057, which could be exploited by unauthenticated attackers for OS command execution.