On 3 September 2024, Zyxel released patches for a critical OS command injection vulnerability, identified as CVE-2024-7261, affecting Access Points (APs) and security routers. This vulnerability stems from improper handling of special elements in the “host” parameter within the CGI program of certain AP and router versions, potentially allowing an unauthenticated attacker to execute OS commands by sending a specially crafted cookie to the vulnerable device.
Arctic Wolf has not identified a publicly accessible proof of concept (PoC) exploit for this vulnerability, and active exploitation has not been observed. However, Zyxel products have been frequent targets for threat actors, as indicated by numerous vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog. Given the level of access that could be obtained through successful command injection, threat actors may reverse engineer the patches and target this vulnerability in the near future.
Recommendation for CVE-2024-7261
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected model | Affected version | Patch availability |
| AP | NWA50AX | 7.00(ABYW.1) and earlier | 7.00(ABYW.2) |
| NWA50AX PRO | 7.00(ACGE.1) and earlier | 7.00(ACGE.2) | |
| NWA55AXE | 7.00(ABZL.1) and earlier | 7.00(ABZL.2) | |
| NWA90AX | 7.00(ACCV.1) and earlier | 7.00(ACCV.2) | |
| NWA90AX PRO | 7.00(ACGF.1) and earlier | 7.00(ACGF.2) | |
| NWA110AX | 7.00(ABTG.1) and earlier | 7.00(ABTG.2) | |
| NWA130BE | 7.00(ACIL.1) and earlier | 7.00(ACIL.2) | |
| NWA210AX | 7.00(ABTD.1) and earlier | 7.00(ABTD.2) | |
| NWA220AX-6E | 7.00(ACCO.1) and earlier | 7.00(ACCO.2) | |
| NWA1123-AC PRO | 6.28(ABHD.0) and earlier | 6.28(ABHD.3) | |
| NWA1123ACv3 | 6.70(ABVT.4) and earlier | 6.70(ABVT.5) | |
| WAC500 | 6.70(ABVS.4) and earlier | 6.70(ABVS.5) | |
| WAC500H | 6.70(ABWA.4) and earlier | 6.70(ABWA.5) | |
| WAC6103D-I | 6.28(AAXH.0) and earlier | 6.28(AAXH.3) | |
| WAC6502D-S | 6.28(AASE.0) and earlier | 6.28(AASE.3) | |
| WAC6503D-S | 6.28(AASF.0) and earlier | 6.28(AASF.3) | |
| WAC6552D-S | 6.28(ABIO.0) and earlier | 6.28(ABIO.3) | |
| WAC6553D-E | 6.28(AASG.2) and earlier | 6.28(AASG.3) | |
| WAX300H | 7.00(ACHF.1) and earlier | 7.00(ACHF.2) | |
| WAX510D | 7.00(ABTF.1) and earlier | 7.00(ABTF.2) | |
| WAX610D | 7.00(ABTE.1) and earlier | 7.00(ABTE.2) | |
| WAX620D-6E | 7.00(ACCN.1) and earlier | 7.00(ACCN.2) | |
| WAX630S | 7.00(ABZD.1) and earlier | 7.00(ABZD.2) | |
| WAX640S-6E | 7.00(ACCM.1) and earlier | 7.00(ACCM.2) | |
| WAX650S | 7.00(ABRM.1) and earlier | 7.00(ABRM.2) | |
| WAX655E | 7.00(ACDO.1) and earlier | 7.00(ACDO.2) | |
| WBE530 | 7.00(ACLE.1) and earlier | 7.00(ACLE.2) | |
| WBE660S | 7.00(ACGG.1) and earlier | 7.00(ACGG.2) | |
| Security router | USG LITE 60AX | V2.00(ACIP.2) | V2.00(ACIP.3)* |
Note: Zyxel has stated security router is updated by cloud.
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
