Security News > 2022 > March > Zyxel patches critical bug affecting firewall and VPN devices

Zyxel patches critical bug affecting firewall and VPN devices
2022-03-31 19:02

Network equipment company Zyxel has updated the firmware of several of its business-grade firewall and VPN products to address a critical-severity vulnerability that could give attackers administrator-level access to affected devices.

"An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device" - Zyxel.

USG FLEX series firmware versions 4.50 through 5.20.

ATP series firmware versions 4.32 through 5.20.

VPN series firmware versions 4.30 through 5.20.

Zyxel is advising its customers to install the firmware updates "For optimal protection." At the moment there are no public reports that CVE-2022-0342 is being exploited in attacks.


News URL

https://www.bleepingcomputer.com/news/security/zyxel-patches-critical-bug-affecting-firewall-and-vpn-devices/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-28 CVE-2022-0342 Improper Authentication vulnerability in Zyxel products
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.
network
low complexity
zyxel CWE-287
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 378 0 69 85 46 200