PSA: Anyone using Zyxel networking solutions are likely operating on faulty equipment. The company recently listed nine serious security flaws in over 50 products, ranging from access points to firewalls. Zyxel has promptly issued patches for all the holes, but administrative intervention is required to update the firmware.
This week, networking OEM Zyxel listed nine security advisories affecting dozens of its products. Most of the vulnerabilities carry a "high" severity ranking. The most dangerous (CVE-2024-7261) has a "critical" rating of 9.8 on a 10-point scale. The vulnerability can permit hackers to take over the exploited device and use it as an entry point to the entire network.
According to the Common Vulnerabilities and Exposures record, CVE-2024-7261 can allow bad actors to send the compromised device a malicious cookie that can execute commands within the operating system. This flaw affects 29 Zyxel access points and security routers. Admins should consult the advisory for vulnerable models and patch availability.
The Common Weakness Enumeration website notes that CVE-2024-7261 fails to neutralize special elements in external inputs from an upstream device. This attack vector, known as an "OS command injection" or "shell injection," allows attackers to craft malicious inputs that execute commands on the OS without authentication.
A second vulnerability, CVE-2024-5412, affects 50 devices, including 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security routers. While it is less critical than the previous flaw, its 7.5 rating is still considered highly severe. Products with this flaw fail to perform length checks when copying an input buffer to an output buffer. If the input exceeds the output buffer's capacity, it creates a buffer overflow, allowing an attacker to execute arbitrary code on the vulnerable machine.
A third security advisory contains seven vulnerabilities, all affecting Zyxel's firewalls. The CVE tracking indicates the following:
- CVE-2024-6343 – Buffer overflow. Rating: 4.9 (medium).
- CVE-2024-7203 – Post-authentication command injection. Rating: 7.2 (high).
- CVE-2024-42057 – Command injection in the IPSec VPN feature. Rating: 8.1 (high).
- CVE-2024-42058 – Null pointer dereference vulnerability. Rating: 7.5 (high).
- CVE-2024-42059 – Post-authentication command injection. Rating: 7.2 (high).
- CVE-2024-42060 – Post-authentication command injection. Rating: 7.2 (high).
- CVE-2024-42061 – Reflected cross-site scripting (XSS) vulnerability. Rating: 6.1 (medium).
Zyxel says it has patched all of these flaws, including the two previously listed. The advisory has links to most of the firmware updates, but some devices may require contacting your local Zyxel service representative for remediation.
Widespread severe security issues with Zyxel products are not uncommon. Researchers discovered critical vulnerabilities in Zyxel firewalls and network-attached storage devices last year. They also found an administrator-level backdoor in the company's firewalls and access-point controllers in 2021.
Image credit: Daniel Aleksandersen