Cyber Resilience

CVE-2024-7261

CriticalRCE

Published: 03 September 2024

Published
03 September 2024
Modified
13 September 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2787 96.6th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7261 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zyxel Nwa110Ax Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-7261 is an OS command injection vulnerability (CWE-78) stemming from improper neutralization of special elements in the "host" parameter within a CGI program. It affects multiple Zyxel access point and security router models running unpatched firmware, specifically NWA1123ACv3 up to version 6.70(ABVT.4), WAC500 up to 6.70(ABVS.4), WAX655E up to 7.00(ACDO.1), WBE530 up to 7.00(ACLE.1), and USG LITE 60AX up to V2.00(ACIP.2). The flaw carries a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can exploit the issue by sending a crafted cookie containing malicious input to the vulnerable device's web interface. Successful exploitation grants the ability to execute arbitrary operating system commands with full read, write, and control impact on the affected device.

The vendor advisory from Zyxel recommends that administrators upgrade the listed products to the fixed firmware versions provided in the security bulletin to eliminate the command injection vector. No other mitigations such as configuration changes or workarounds are specified.

EU & UK References

Vulnerability details

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier,…

more

and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
nwa110ax firmware
≤ 7.00\(abtg.2\)
zyxel
nwa1123-ac pro firmware
≤ 6.28\(abhd.3\)
zyxel
nwa1123acv3 firmware
≤ 6.70\(abvt.5\)
zyxel
nwa130be firmware
≤ 7.00\(acil.2\)
zyxel
nwa210ax firmware
≤ 7.00\(abtd.2\)
zyxel
nwa220ax-6e firmware
≤ 7.00\(acco.2\)
zyxel
nwa50ax firmware
≤ 7.00\(abyw.2\)
zyxel
nwa50ax pro firmware
≤ 7.00\(acge.2\)
zyxel
nwa55axe firmware
≤ 7.00\(abzl.2\)
zyxel
nwa90ax firmware
≤ 7.00\(accv.2\)
+19 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References