### Zyxel Alerts Users to Serious Vulnerabilities in Networking Equipment: Urgent Action Needed
Zyxel, a manufacturer of networking hardware, has released a crucial security advisory, notifying users of nearly twelve vulnerabilities present in a broad array of its products. If not addressed, these weaknesses may enable attackers to gain full control over the affected devices, potentially using them as gateways into larger networks. In light of the criticality of these vulnerabilities, Zyxel is advising all users to implement the provided patches without delay.
#### The Most Significant Vulnerability: CVE-2024-7261
The most pressing of these vulnerabilities is designated as **CVE-2024-7261**, which has received an alarming severity score of 9.8 out of 10. This vulnerability allows an unauthenticated attacker to execute OS commands by transmitting a specially crafted cookie to a susceptible device. It arises from the improper handling of special elements in the ‘host’ parameter within the CGI program of the affected access points and security routers. Almost 30 models from Zyxel are at risk due to this vulnerability, making it crucial for users to promptly update their firmware.
#### Other Vulnerabilities in Firewall Models
Zyxel has also discovered seven additional vulnerabilities affecting its firewall models, such as the ATP, USG-FLEX, and USG FLEX 50(W)/USG20(W)-VPN. These vulnerabilities vary in severity, with ratings from 4.9 to 8.1, and include:
– **CVE-2024-6343**: A buffer overflow vulnerability in the CGI program that may enable an authenticated attacker with admin access to conduct a denial-of-service (DoS) attack through specially crafted HTTP requests.
– **CVE-2024-7203**: A post-authentication command injection vulnerability that could permit an authenticated attacker with administrator privileges to execute OS commands by running a specially designed CLI command.
– **CVE-2024-42057**: A command injection vulnerability in the IPSec VPN feature, which might allow an unauthenticated attacker to execute OS commands by submitting a crafted username. This attack is feasible only if the device employs User-Based-PSK authentication and a valid user with a username longer than 28 characters exists.
– **CVE-2024-42058**: A null pointer dereference vulnerability in select firewall versions that could enable an unauthenticated attacker to carry out DoS attacks by sending crafted packets.
– **CVE-2024-42059**: A post-authentication command injection vulnerability that permits an authenticated attacker with admin rights to execute OS commands by uploading a specially crafted compressed language file via FTP.
– **CVE-2024-42060**: Another post-authentication command injection vulnerability allowing an authenticated attacker with administrator access to run OS commands by uploading a crafted internal user agreement file to the vulnerable device.
– **CVE-2024-42061**: A reflected cross-site scripting (XSS) vulnerability in the CGI program “dynamic_script.cgi,” which could enable an attacker to deceive a user into accessing a crafted URL containing XSS payloads. If the malicious script runs, the attacker could gather browser-based information from the victim’s browser.
#### Buffer Overflow Vulnerability: CVE-2024-5412
Furthermore, **CVE-2024-5412** is another notable vulnerability discovered in 50 Zyxel product models, encompassing various customer premises equipment (CPE), fiber optical network terminals (ONTs), and security routers. This buffer overflow issue lies within the “libclinkc” library of the affected devices and could let an unauthenticated attacker launch DoS attacks via crafted HTTP requests. The severity score for this vulnerability is rated at 7.5.
#### Increasing Threat Landscape
Zyxel devices have increasingly become targets for cyber attackers in recent years. Numerous vulnerabilities in these devices have been actively utilized in the wild, some even facilitating large-scale Distributed Denial-of-Service (DDoS) assaults. For example, in 2021, hackers exploited a backdoor found in Zyxel devices, and in 2023, DDoS botnets continued to take advantage of Zyxel devices with known vulnerabilities.
#### Immediate Action Needed
Given the urgent nature of these vulnerabilities, Zyxel has made patches available for the majority of affected devices. Users can download these patches from the links provided within the security advisories. In certain instances, patches can be accessed through the cloud, while for a limited number of products, users may need to directly contact Zyxel’s support team to acquire the necessary updates.
**Users are highly encouraged to implement these patches immediately to safeguard their networks against potential attacks.**
#### Conclusion
The revelation of these vulnerabilities highlights the necessity for routine security updates and proactive network oversight. As networking devices remain a primary target for cybercriminals, being proactive about potential threats is essential. Zyxel’s prompt action in releasing patches is praiseworthy,
