Zyxel has patched a myriad of vulnerabilities in its various networking devices, including a critical one (CVE-2024-7261) that may allow unauthenticated attackers to execute OS commands on many Zyxel access points (APs) and security routers by sending a specially crafted cookie to the vulnerable devices. CVE-2024-7261 CVE-2024-7261 is an OS command injection vulnerability that stems from the improper neutralization of special elements in the parameter “host” in the CGI program of some AP and security router versions.

Source: Help Net Security