Business routers vulnerable to OS command injection attack

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Multiple business router models, built by the Taiwanese networking giant Zyxel, carried a critical vulnerability which allowed malicious actors to run any command, remotely. The manufacturer recently released a fix which addresses the flaw, so installing it straight away is highly recommended.

As the company explained in an advisory, the vulnerability is described as an “input validation fault caused by improper handling of user-supplied data.” In other words, the underlying OS does not validate the data a user inputs, potentially allowing crooks to run OS command injection. The bug is tracked as CVE-2024-7261, and carries a severity score of 9.8/10 - critical.

"The improper neutralization of special elements in the parameter "host" in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device," Zyxel said in the advisory.

Numerous devices affected

Multiple Zyxel access points (AP) are vulnerable to the flaw. The full list is below:

  • NWA Series: NWA50AX, NWA50AX PRO, NWA55AXE, NWA90AX, NWA90AX PRO, NWA110AX, NWA130BE, NWA210AX, NWA220AX-6E | all versions up to 7.00
  • NWA1123-AC PRO (all versions up to 6.28)
  • NWA1123ACv3, WAC500, WAC500H (all versions up to 6.70)
  • WAC Series: WAC6103D-I, WAC6502D-S, WAC6503D-S, WAC6552D-S, WAC6553D-E (all versions up to 6.28)
  • WAX Series: WAX300H, WAX510D, WAX610D, WAX620D-6E, WAX630S, WAX640S-6E, WAX650S, WAX655E (all versions up to 7.00)
  • WBE Series: WBE530, WBE660S (all versions up to 7.00).

Security router USG LITE 60AX running V2.00(ACIP.2) is also vulnerable, but this device is automatically patched, so users should be safe. In any case, if you’re using this model make sure it’s running version V2.00(ACIP.3).

Zyxel is a popular manufacturer of networking devices, with its routers, switches, and wireless access points being used by thousands of organizations worldwide. As such, it is a popular target among cybercriminals, who are always on the hunt for a new vulnerability to exploit. Zyxel customers are advised to apply the patch as soon as possible and thus secure their premises.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
Security
Zyxel says it won’t patch security flaws in its old routers
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
China
Juniper patches security flaws which could have let hackers take over your router
Cyber-security
Juniper Session Smart routers have a critical flaw, so patch now
Latest in VPN
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
A hand holds a smartphone displaying the NordVPN logo
NordVPN Prime hits lowest-ever price in VPN Spring sale
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game