Vulnerabilities > Zyxel > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-29 | CVE-2020-15347 | Insufficiently Protected Credentials vulnerability in Zyxel Cloudcnm Secumanager 3.1.0/3.1.1 Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the q6xV4aW8bQ4cfD-b password for the axiros account. | 9.8 |
| 2022-09-06 | CVE-2022-34747 | Use of Externally-Controlled Format String vulnerability in Zyxel Nas326 Firmware 5.21/5.21(Aazf.7)C0 A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet. | 9.8 |
| 2022-05-12 | CVE-2022-30525 | OS Command Injection vulnerability in Zyxel products A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device. | 9.8 |
| 2022-03-28 | CVE-2022-0342 | Improper Authentication vulnerability in Zyxel products An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. | 9.8 |
| 2022-03-01 | CVE-2021-4039 | OS Command Injection vulnerability in Zyxel Nwa1100-Nh Firmware A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device. | 9.8 |
| 2021-12-29 | CVE-2021-35034 | Insufficient Session Expiration vulnerability in Zyxel Nbg6604 Firmware An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted. | 9.1 |
| 2021-07-02 | CVE-2021-35029 | Improper Authentication vulnerability in Zyxel products An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device. | 9.8 |
| 2021-03-16 | CVE-2020-28899 | Missing Authentication for Critical Function vulnerability in Zyxel products The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. | 9.1 |
| 2020-12-22 | CVE-2020-29583 | Insufficiently Protected Credentials vulnerability in Zyxel products Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. | 9.8 |
| 2020-11-27 | CVE-2020-25014 | Out-of-bounds Write vulnerability in Zyxel Access Points Firmware and ZLD A stack-based buffer overflow in fbwifi_continue.cgi on Zyxel UTM and VPN series of gateways running firmware version V4.30 through to V4.55 allows remote unauthenticated attackers to execute arbitrary code via a crafted http packet. | 9.8 |