Zyxel urges customers to patch critical firewall bypass vulnerability
Zyxel is urging customers to immediately patch a critical vulnerability in the vendor's firewall software.
In a security advisory published this week, the Taiwanese networking giant said the security flaw can lead to the circumvention of firewall protection in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG product lines.
Tracked as CVE-2022-0342 and issued a critical severity score of 9.8, the vulnerability is described as an "authentication bypass" caused by a proper access control mechanism failure.
The bug is present in a number of CGI programs embedded in firewall software.
"The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device," Zyxel says.
The following firmware is impacted:
- USG/ZyWALL: versions 4.20 through 4.70
- USG FLEX: versions 4.50 through 5.20
- ATP: versions 4.32 through 5.20
- VPN: versions 4.30 through 5.20
- NSG: versions 1.20 through 1.33 (Patch 4)
Zyxel has released patches for impacted software, and users should upgrade their builds to protected versions as soon as possible. The vendor notes that after investigating the vulnerability, patches have been made available for products in their support period. Legacy product users should be aware that they may be vulnerable.
Alessandro Sgreccia from Tecnical Service SrL, alongside Innotec Security's Roberto Garcia and Victor Garcia, have been credited for reporting the bug.
See also
- Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
- Log4j: Mirai botnet found targeting ZyXEL networking devices
- SockDetour backdoor used in attacks on defense contractors, says Unit 42
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0