"Zyxel Patches Critical Vulnerabilities in Networking Devices"

Zyxel recently announced patches for multiple vulnerabilities in its networking devices, including a critical severity flaw affecting multiple access points (AP) and security router models.  The critical bug tracked as CVE-2024-7261 (CVSS score of 9.8) is described as an OS command injection issue that could be exploited by remote, unauthenticated attackers via crafted cookies.  The company has released security updates to address the bug in 28 AP products and one security router model.  The company also announced fixes for seven vulnerabilities in three firewall series devices, namely ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN products.  The company noted that five of the resolved security defects, tracked as CVE-2024-7203, CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, and CVE-2024-42060, are high-severity bugs that could allow attackers to execute arbitrary commands and cause a denial-of-service (DoS) condition.  Zyxel said that authentication is required for three of the command injection issues but not for the DoS flaw or the fourth command injection bug.  Zyxel also announced patches for a high-severity buffer overflow vulnerability impacting multiple other networking products.  Tracked as CVE-2024-5412, it can be exploited via crafted HTTP requests, without authentication, to cause a DoS condition.  Zyxel has identified at least 50 products affected by this vulnerability.  While patches are available for download for four affected models, the owners of the remaining products need to contact their local Zyxel support team to obtain the update file.  Zyxel did not mention whether these vulnerabilities are being exploited in the wild. 

SecurityWeek reports: "Zyxel Patches Critical Vulnerabilities in Networking Devices"