Several Zyxel network devices and firewalls are vulnerable to a dozen vulnerabilities. Customers should delay patching, but not for too long.

Zyxel warns of several vulnerabilities in its network security products. In total, there are almost a dozen problems that can affect a wide variety of products. One vulnerability stands out with a CVSS score of 9.8 out of 10.

The most severe vulnerability is known as CVE-2024-7261 and could compromise manufacturers’ access points and security routers. An unauthenticated attacker can exploit the vulnerability to execute operating system commands by sending a malicious cookie to a vulnerable device.

Zyxel has now rolled out a patch. In this overview you can see which device numbers are vulnerable and which version you need to update to. As with any security vulnerability, we recommend not delaying the patch for too long: before you notice it, it is too late.

CVE-Fest

CVE-2024-7261 is the most damaging security vulnerability, but not the only one. Zyxel reports eight other vulnerabilities. These can primarily affect firewalls from the ATP and USG-Flex series as well as the USG-Flex VPN solution. Not every vulnerability is equally serious; CVSS values ​​range between 4.9 and 8.1 out of ten.

For more information about each of these vulnerabilities and what actions you can take, see this advisory. CVE-2024-5412 gets its own page because it affects local network devices.

Zyxel devices regularly have moderate to very severe vulnerabilities. A recently discovered vulnerability allows attackers to integrate the manufacturer’s older NAS servers into a botnet.