Zyxel warns of vulnerabilities in a wide range of its products
Zyxel warns of nearly a dozen vulnerabilities in its products, including a critical flaw allowing unauthenticated command execution. Users are urged to apply patches promptly to mitigate risks.
Read original article
Zyxel has issued a warning regarding nearly a dozen vulnerabilities affecting a variety of its networking products, with the most critical vulnerability, CVE-2024-7261, rated 9.8 out of 10. This flaw allows unauthenticated attackers to execute operating system commands by sending a specially crafted cookie to vulnerable devices, potentially leading to complete device takeover. Approximately 30 Zyxel devices are impacted. Additional vulnerabilities include issues in firewall series such as ATP and USG-FLEX, with severity ratings ranging from 4.9 to 8.1. These vulnerabilities could allow authenticated attackers to execute commands, cause denial-of-service attacks, or exploit command injection flaws. Notably, CVE-2024-5412, rated 7.5, affects 50 Zyxel product models and could enable denial-of-service attacks through crafted HTTP requests. Zyxel urges users to apply patches promptly, as many of these vulnerabilities have been actively targeted in recent years. Patches are available for download, with some requiring direct contact with Zyxel's support team for access.
- Zyxel has identified nearly a dozen vulnerabilities in its products, with the most severe rated 9.8.
- CVE-2024-7261 allows unauthenticated attackers to execute OS commands via crafted cookies.
- Additional vulnerabilities affect firewall series and could lead to command execution or denial-of-service attacks.
- Patches are available, but some may require contacting Zyxel support for access.
- Users are urged to patch their devices promptly to mitigate risks.
Related
SolarWind Web Help Desk Java Deserialization Remote Code Execution Vulnerability
CVE-2024-28986 is a critical vulnerability in SolarWinds Web Help Desk, allowing remote code execution. Users are advised to apply patches, as CISA has included it in its Known Exploited Vulnerabilities Catalog.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
New 0-Day Attacks Linked to China's 'Volt Typhoon'
Malicious hackers linked to China's Volt Typhoon group are exploiting a zero-day vulnerability in Versa Director, urging customers to update systems to prevent potential disruptions to critical U.S. infrastructure.
Hackers infect ISPs with malware that steals customers' credentials
Hackers linked to the Chinese government exploited a zero-day vulnerability in the Versa Director platform, affecting U.S. ISPs, allowing credential capture via malware before hashing. The vulnerability was patched.
Yubikey Security Advisory YSA-2024-03 Infineon Ecdsa Private Key Recovery
Yubico issued a security advisory about a vulnerability in Infineon’s cryptographic library affecting YubiKey and YubiHSM devices. Users should update firmware and enhance physical security measures to mitigate risks.
1 commentsRelated
SolarWind Web Help Desk Java Deserialization Remote Code Execution Vulnerability
CVE-2024-28986 is a critical vulnerability in SolarWinds Web Help Desk, allowing remote code execution. Users are advised to apply patches, as CISA has included it in its Known Exploited Vulnerabilities Catalog.
Chrome update fixes 38 security issues, including active vulnerability
Google released a Chrome update addressing 38 vulnerabilities, including a critical 0-day exploit (CVE-2024-7971). Users are urged to update immediately to mitigate risks across all platforms.
New 0-Day Attacks Linked to China's 'Volt Typhoon'
Malicious hackers linked to China's Volt Typhoon group are exploiting a zero-day vulnerability in Versa Director, urging customers to update systems to prevent potential disruptions to critical U.S. infrastructure.
Hackers infect ISPs with malware that steals customers' credentials
Hackers linked to the Chinese government exploited a zero-day vulnerability in the Versa Director platform, affecting U.S. ISPs, allowing credential capture via malware before hashing. The vulnerability was patched.
Yubikey Security Advisory YSA-2024-03 Infineon Ecdsa Private Key Recovery
Yubico issued a security advisory about a vulnerability in Infineon’s cryptographic library affecting YubiKey and YubiHSM devices. Users should update firmware and enhance physical security measures to mitigate risks.