Zyxel urges customers to patch critical firewall bypass vulnerability

The vendor has issued a severity score of 9.8.
Written by Charlie Osborne, Contributing Writer

Zyxel is urging customers to immediately patch a critical vulnerability in the vendor's firewall software.  

In a security advisory published this week, the Taiwanese networking giant said the security flaw can lead to the circumvention of firewall protection in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG product lines. 

Tracked as CVE-2022-0342 and issued a critical severity score of 9.8, the vulnerability is described as an "authentication bypass" caused by a proper access control mechanism failure.

The bug is present in a number of CGI programs embedded in firewall software. 

"The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device," Zyxel says. 

The following firmware is impacted: 

  • USG/ZyWALL: versions 4.20 through 4.70
  • USG FLEX: versions 4.50 through 5.20
  • ATP: versions 4.32 through 5.20
  • VPN: versions 4.30 through 5.20
  • NSG: versions 1.20 through 1.33 (Patch 4)

Zyxel has released patches for impacted software, and users should upgrade their builds to protected versions as soon as possible. The vendor notes that after investigating the vulnerability, patches have been made available for products in their support period. Legacy product users should be aware that they may be vulnerable. 

Alessandro Sgreccia from Tecnical Service SrL, alongside Innotec Security's Roberto Garcia and Victor Garcia, have been credited for reporting the bug. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards