Zyxel on Tuesday announced patches for multiple vulnerabilities in its networking devices, including a critical-severity flaw affecting multiple access point (AP) and security router models.

Tracked as CVE-2024-7261 (CVSS score of 9.8), the critical bug is described as an OS command injection issue that could be exploited by remote, unauthenticated attackers via crafted cookies.

The networking device manufacturer has released security updates to address the bug in 28 AP products and one security router model.

The company also announced fixes for seven vulnerabilities in three firewall series devices, namely ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN products.

Five of the resolved security defects, tracked as CVE-2024-7203, CVE-2024-42057, CVE-2024-42058, CVE-2024-42059, and CVE-2024-42060, are high-severity bugs that could allow attackers to execute arbitrary commands and cause a denial-of-service (DoS) condition.

According to Zyxel, authentication is required for three of the command injection issues, but not for the DoS flaw or the fourth command injection bug (however, this defect is exploitable “only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists”).

The company also announced patches for a high-severity buffer overflow vulnerability impacting multiple other networking products. Tracked as CVE-2024-5412, it can be exploited via crafted HTTP requests, without authentication, to cause a DoS condition.

Zyxel has identified at least 50 products affected by this vulnerability. While patches are available for download for four affected models, the owners of the remaining products need to contact their local Zyxel support team to obtain the update file.

The manufacturer makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on Zyxel’s security advisories page.

Related: Recent Zyxel NAS Vulnerability Exploited by Botnet

Related: New BadSpace Backdoor Deployed in Drive-By Attacks

Related: Impacted Vendors Release Advisories for FragAttacks Vulnerabilities

Related: Vendor Quickly Patches Serious Vulnerability in NATO-Approved Firewall