CVE-2024-7261

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:nwa110ax_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa110ax:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:nwa1123-ac_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa1123-ac_pro:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:nwa1123acv3_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa1123acv3:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:zyxel:nwa130be_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa130be:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:zyxel:nwa210ax_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa210ax:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:zyxel:nwa220ax-6e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa220ax-6e:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:zyxel:nwa50ax_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa50ax:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:zyxel:nwa50ax_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa50ax_pro:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:zyxel:nwa55axe_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa55axe:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:zyxel:nwa90ax_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa90ax:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:zyxel:nwa90ax_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:nwa90ax_pro:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:zyxel:usg_lite_60ax_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_lite_60ax:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:zyxel:wac500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac500:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:zyxel:wac500h_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac500h:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:zyxel:wac6103d-i_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac6103d-i:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:zyxel:wac6502d-s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac6502d-s:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:zyxel:wac6503d-s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac6503d-s:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:zyxel:wac6552d-s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac6552d-s:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:zyxel:wac6553d-e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wac6553d-e:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:zyxel:wax300h_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax300h:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:zyxel:wax510d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax510d:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:zyxel:wax610d_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax610d:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:zyxel:wax620d-6e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax620d-6e:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND

cpe:2.3:o:zyxel:wax630s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax630s:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND

cpe:2.3:o:zyxel:wax640s-6e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax640s-6e:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND

cpe:2.3:o:zyxel:wax650s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax650s:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND

cpe:2.3:o:zyxel:wax655e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wax655e:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND

cpe:2.3:o:zyxel:wbe530_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wbe530:-:*:*:*:*:*:*:*

Configuration 29 (hide)

AND

cpe:2.3:o:zyxel:wbe660s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:wbe660s:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-03 03:15

Updated : 2024-09-13 19:39

NVD link : CVE-2024-7261

Mitre link : CVE-2024-7261

CVE.ORG link : CVE-2024-7261

JSON object : View

Products Affected

zyxel

usg_lite_60ax
nwa50ax
wax510d_firmware
wax655e
wax620d-6e_firmware
wac6552d-s_firmware
nwa55axe
wac6502d-s
wax300h
wax620d-6e
wax300h_firmware
wax610d_firmware
wax650s_firmware
wbe530
wax640s-6e_firmware
nwa1123acv3_firmware
nwa130be_firmware
nwa210ax
wbe530_firmware
wax510d
wac500
nwa210ax_firmware
wac6503d-s_firmware
nwa110ax
wbe660s_firmware
nwa1123-ac_pro
wax640s-6e
nwa130be
wac500h
nwa90ax_firmware
wax610d
wac6553d-e
nwa110ax_firmware
wac6553d-e_firmware
wax630s_firmware
nwa50ax_pro
wac6103d-i_firmware
wax650s
wbe660s
wac6552d-s
nwa55axe_firmware
wac6103d-i
nwa50ax_firmware
nwa220ax-6e_firmware
nwa1123-ac_pro_firmware
nwa90ax
usg_lite_60ax_firmware
wac500_firmware
nwa90ax_pro_firmware
wax655e_firmware
nwa220ax-6e
wax630s
nwa1123acv3
wac500h_firmware
nwa90ax_pro
wac6503d-s
nwa50ax_pro_firmware
wac6502d-s_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

9.8 /10