What is CVE-2024-7261?

CVE-2024-7261 is a critical-severity vulnerability in Zyxel Nwa1123acv3 Firmware, classified under OS Command Injection. CVSS score: 9.8/10. Published 2024-09-03.

How severe is CVE-2024-7261?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2024-7261 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Zyxel Nwa1123acv3 Firmware

CVE-2024-7261

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(AC…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.279 (96.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Zyxel Nwa1123acv3 Firmware — versions <= 6.70(ABVT.4)
Zyxel Usg Lite 60ax Firmware — versions V2.00(ACIP.2)
Zyxel Wac500 Firmware — versions <= 6.70(ABVS.4)
Zyxel Wax655e Firmware — versions <= 7.00(ACDO.1)
Zyxel Wbe530 Firmware — versions <= 7.00(ACLE.1)

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for… (vendor-advisory)

Frequently asked questions

What is CVE-2024-7261?: CVE-2024-7261 is a critical-severity vulnerability in Zyxel Nwa1123acv3 Firmware, classified under OS Command Injection. CVSS score: 9.8/10. Published 2024-09-03.
How severe is CVE-2024-7261?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2024-7261 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.