Zyxel warns of critical OS command injection flaw in routers

Zyxel released security updates to address a critical unauthenticated OS command injection (CVE-2024-7261, CVSS 9.8) impacting numerous access point and router models that could allow remote command execution via a crafted cookie; vendor advisories list affected models, vulnerable firmware versions, and fixed versions. The advisory also details multiple high‑severity vulnerabilities in APT and USG FLEX firewalls (including an unauthenticated IPSec VPN command injection CVE-2024-42057, CVSS 8.1) and recommends applying provided firmware updates.