CVE-2024-7261

high-risk

Published 2024-09-03

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

Do I need to act?

23.2% chance of exploitation in next 30 days

EPSS score — higher than 77% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Nwa110Ax Firmware

Nwa1123-Ac Pro Firmware

Nwa1123Acv3 Firmware

Nwa130Be Firmware

Nwa210Ax Firmware

Nwa220Ax-6E Firmware

Nwa50Ax Firmware

Nwa50Ax Pro Firmware

Nwa55Axe Firmware

Nwa90Ax Firmware

Nwa90Ax Pro Firmware

Usg Lite 60Ax Firmware

Wac500 Firmware

Wac500H Firmware

Wac6103D-I Firmware

Wac6502D-S Firmware

Wac6503D-S Firmware

Wac6552D-S Firmware

Wac6553D-E Firmware

Wax300H Firmware

Affected Vendors

Zyxel

References (1)

Vendor Advisory https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advis...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 22/34 · High