Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands.
Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection.
“The improper neutralization of special elements in the parameter ‘host’ in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel said in an advisory.
Chengchao Ai from the ROIS team of Fuzhou University has been credited with discovering and reporting the flaw.
Zyxel has also shipped updates for seven vulnerabilities in its routers and firewalls, including few that are high in severity, that could result in OS command execution, a denial-of-service (DoS), or access browser-based information –
The development comes as D-Link said four security vulnerabilities affecting its DIR-846 router, counting two critical remote command execution vulnerabilities (CVE-2024-44342, CVSS score: 9.8) will not be patched owing to the products reaching end-of-life (EoL) status of February 2020, urging customers to replace them with support versions.