CVE-2024-7261

CRITICAL
Published Sep 3, 2024 Modified Sep 13, 2024 CWE-78

Description

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

Is your site exposed to CVE-2024-7261?

Run a free security scan — no signup, results in seconds.

CVSS v3.1 Score

9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-78 OS Command Injection

Affected Products

Vendor Product
zyxel nwa110ax_firmware
zyxel nwa110ax
zyxel nwa1123-ac_pro_firmware
zyxel nwa1123-ac_pro
zyxel nwa1123acv3_firmware
zyxel nwa1123acv3
zyxel nwa130be_firmware
zyxel nwa130be
zyxel nwa210ax_firmware
zyxel nwa210ax
zyxel nwa220ax-6e_firmware
zyxel nwa220ax-6e
zyxel nwa50ax_firmware
zyxel nwa50ax
zyxel nwa50ax_pro_firmware
zyxel nwa50ax_pro
zyxel nwa55axe_firmware
zyxel nwa55axe
zyxel nwa90ax_firmware
zyxel nwa90ax
zyxel nwa90ax_pro_firmware
zyxel nwa90ax_pro
zyxel usg_lite_60ax_firmware
zyxel usg_lite_60ax
zyxel wac500_firmware
zyxel wac500
zyxel wac500h_firmware
zyxel wac500h
zyxel wac6103d-i_firmware
zyxel wac6103d-i
zyxel wac6502d-s_firmware
zyxel wac6502d-s
zyxel wac6503d-s_firmware
zyxel wac6503d-s
zyxel wac6552d-s_firmware
zyxel wac6552d-s
zyxel wac6553d-e_firmware
zyxel wac6553d-e
zyxel wax300h_firmware
zyxel wax300h
zyxel wax510d_firmware
zyxel wax510d
zyxel wax610d_firmware
zyxel wax610d
zyxel wax620d-6e_firmware
zyxel wax620d-6e
zyxel wax630s_firmware
zyxel wax630s
zyxel wax640s-6e_firmware
zyxel wax640s-6e
zyxel wax650s_firmware
zyxel wax650s
zyxel wax655e_firmware
zyxel wax655e
zyxel wbe530_firmware
zyxel wbe530
zyxel wbe660s_firmware
zyxel wbe660s

References

Frequently Asked Questions

What is CVE-2024-7261? +
The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device. It has a CVSS v3.1 base score of 9.8 (CRITICAL).
How severe is CVE-2024-7261? +
CVE-2024-7261 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.
What products are affected by CVE-2024-7261? +
CVE-2024-7261 affects products from zyxel, specifically: nwa110ax, nwa110ax_firmware, nwa1123-ac_pro, nwa1123-ac_pro_firmware, nwa1123acv3, nwa1123acv3_firmware, nwa130be, nwa130be_firmware, nwa210ax, nwa210ax_firmware, nwa220ax-6e, nwa220ax-6e_firmware, nwa50ax, nwa50ax_firmware, nwa50ax_pro, nwa50ax_pro_firmware, nwa55axe, nwa55axe_firmware, nwa90ax, nwa90ax_firmware, nwa90ax_pro, nwa90ax_pro_firmware, usg_lite_60ax, usg_lite_60ax_firmware, wac500, wac500_firmware, wac500h, wac500h_firmware, wac6103d-i, wac6103d-i_firmware, wac6502d-s, wac6502d-s_firmware, wac6503d-s, wac6503d-s_firmware, wac6552d-s, wac6552d-s_firmware, wac6553d-e, wac6553d-e_firmware, wax300h, wax300h_firmware, wax510d, wax510d_firmware, wax610d, wax610d_firmware, wax620d-6e, wax620d-6e_firmware, wax630s, wax630s_firmware, wax640s-6e, wax640s-6e_firmware, wax650s, wax650s_firmware, wax655e, wax655e_firmware, wbe530, wbe530_firmware, wbe660s, wbe660s_firmware. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2024-7261? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-7261 — free, no signup required.