Security News > 2022 > March > Zyxel patches critical bug affecting firewall and VPN devices
Network equipment company Zyxel has updated the firmware of several of its business-grade firewall and VPN products to address a critical-severity vulnerability that could give attackers administrator-level access to affected devices.
"An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device" - Zyxel.
USG FLEX series firmware versions 4.50 through 5.20.
ATP series firmware versions 4.32 through 5.20.
VPN series firmware versions 4.30 through 5.20.
Zyxel is advising its customers to install the firmware updates "For optimal protection." At the moment there are no public reports that CVE-2022-0342 is being exploited in attacks.
News URL
Related news
- Zyxel warns of bad signature update causing firewall boot loops (source)
- Hackers exploit critical unpatched flaw in Zyxel CPE devices (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- SonicWall firewall exploit lets hackers hijack VPN sessions, patch now (source)
- SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-28 | CVE-2022-0342 | Improper Authentication vulnerability in Zyxel products An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. | 9.8 |