A vulnerability researcher has discovered a critical security vulnerability in Zyxel NWA50AX Pro WiFi 6 access points that allows unauthenticated attackers to delete arbitrary files on affected devices.
The vulnerability, discovered during a mountain vacation, represents an nday variant of previously known issues affecting Zyxel broader product ecosystem.
The vulnerability was discovered serendipitously when a security researcher encountered a Zyxel NWA50AX Pro device while vacationing in the mountains.
Despite attempting to disconnect from work, the researcher’s curiosity was piqued by the multi-gigabit WiFi 6 access point designed for small businesses.
Initial reconnaissance revealed several known critical vulnerabilities in the device’s public vulnerability database, prompting deeper investigation into the firmware.
The researcher extracted the device’s firmware and identified a squashfs file system containing the lighttpd web server configuration.
Analysis of the authentication configuration files revealed concerning whitelist patterns that suggested potential bypass mechanisms.
Through systematic testing, the researcher discovered that certain URL path manipulations could bypass authentication controls, allowing access to CGI binaries from an unauthenticated context.
The core vulnerability resides in the file_upload-cgi binary, which processes file upload requests without proper authentication validation when accessed through specific URL patterns.
The researcher identified that the CGI binary accepts a file_path parameter that gets concatenated with a static /tmp directory prefix through the snprintf function, creating opportunities for path traversal attacks.
More configuration files were included via directives such as auth_zyxel.conf and cgi.conf. A bit of browsing on the guest device was all I got, because obviously I didn’t have the opportunity to take the device apart and destroy it. .cgi endpoints were quickly spotted in my proxy tool, even on the login page.
Critical code analysis revealed two dangerous operations: an unlink call that deletes files and a subsequent rename operation.
By manipulating the file_path.filename parameter with directory traversal sequences like ../usr/local/zyxel-gui/htdocs/ext-js/web-pages/login/images/login_logo.png, attackers can delete arbitrary files outside the intended directory scope.
The researcher successfully demonstrated the vulnerability by deleting the login page logo file, providing visual confirmation of the exploit’s effectiveness.
Testing revealed that vulnerable devices return specific HTTP status codes that can be used to fingerprint susceptible installations.
A simple GET request to /cgi-bin/file_upload-cgi/images returns distinctive error codes that indicate vulnerability status.
Notably, the discovery later connected to existing research by Outpost24’s Timothy Hjort, who documented similar vulnerabilities in Zyxel NAS devices in June 2024 under CVE-2024-29974.
According to Report, Internet-wide scanning identified significant exposure, with over 80% of 42 discovered Zyxel NWA50AX Pro devices showing vulnerability indicators.
The researcher noted that CensysIO returns over 200 total devices in the broader product family, suggesting potentially extensive exposure across Zyxel’s access point ecosystem.
This connection highlights how code sharing across Zyxel’s product portfolio can propagate vulnerabilities between different device categories, creating challenges for vulnerability management teams operating in CVE-centric environments.
The vulnerability represents a significant security risk as it provides unauthenticated remote attackers with the ability to delete critical system files, potentially disrupting device operation or facilitating further compromise through manipulation of configuration files.
Organizations using affected devices should prioritize firmware updates and network segmentation to mitigate exposure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…