Security Intelligence
Loading table of contents...
Networking equipment vendor Zyxel has released updates to address multiple vulnerabilities, one of which was rated critical, discovered in several of its business-grade routers. The critical bug, designated CVE-2024-7261, could allow threat actors to remotely execute commands on a vulnerable router’s operating system simply by sending it a specially crafted cookie. The flaw is due to the improper validation of user-supplied data handled by the router’s CGI program.
Zyxel also addressed seven other high-severity vulnerabilities with its latest updates, the most alarming of which is CVE-2024-42057, which could lead to remote exploitation without authentication due to an injection vulnerability within the router’s IPSec VPN feature. Fortunately, the severity of CVE-2024-42057 is reduced due to the specific configuration required for exploitation, such as User-Based-PSK authentication mode and having a user with a username over 28 characters long.
Zyxel hasn’t indicated whether any proof-of-concept exploit code for the patched vulnerabilities is publicly available, or if it is aware of active exploitation. The vendor is encouraging all impacted users to install the latest updates as soon as possible.
Source: Bleeping Computer
Analysis
Residential and small business routers generally don’t contain data, therefore they don’t make good targets for ransomware or data extortion attacks. Instead, threat actors often leverage vulnerabilities like those mentioned above to either gain initial access to a network of interest or incorporate the vulnerable router into a botnet or command and control infrastructure, which provides a distributed and deniable platform from which malicious activities can be launched.
For example, Volt Typhoon, a Chinese state-sponsored threat actor, was known to operate the KV-botnet that consisted of thousands of compromised small office/home office (SOHO) routers, firewalls and VPN hardware, until the FBI neutralized it in February 2024.
According to the Shadow Server Foundation, approximately 80,000 various types of Zyxel routers are deployed worldwide, offering threat actors a significant attack surface of potentially vulnerable devices.
Image 1: Zyxel routers deployed worldwide (Source: Shadow Server Foundation)
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices like Zyxel routers. Field Effect MDR users are automatically notified if a vulnerable Zyxel device is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected Zyxel routers update to the latest version as soon as possible, in accordance with the advisory.
