Zyxel Networks, a global leader in network technology solutions, has recently released security patches to address post-authentication command injection vulnerabilities affecting a range of its DSL/Ethernet CPE, fiber ONT, and WiFi extender devices.
The vulnerabilities, identified as CVE-2024-11253, CVE-2024-12009, and CVE-2024-12010, carry a CVSS score of 7.2, indicating a high severity level. Successful exploitation could allow an authenticated attacker with administrator privileges to execute arbitrary operating system (OS) commands on the affected devices.
CVE-2024-11253 specifically impacts the “DNSServer” parameter of the diagnostic function in certain DSL/Ethernet CPE firmware versions. CVE-2024-12009 affects the “ZyEE” function across various DSL/Ethernet CPE, fiber ONT, and WiFi extender firmware versions. CVE-2024-12010 targets the “zyUtilMailSend” function in similar firmware versions.
Zyxel emphasizes that WAN access is disabled by default on these devices, and exploitation is only possible if the strong, unique administrator passwords have been compromised.
Users of the affected devices are strongly urged to install the latest firmware patches as soon as possible to mitigate the risk posed by these vulnerabilities. A complete list of vulnerable products and corresponding patch availability can be found in the security advisory.
Zyxel is committed to the security of its products and customers and will continue to monitor and respond to potential threats proactively. For further information and assistance with patching, users are advised to contact their Zyxel sales representative or support team.
