Zyxel Urges Customers to Patch Critical Firewall Bypass Vulnerability

Zyxel urges customers to immediately patch a critical vulnerability in the vendor’s firewall software.

In a security advisory published this week, the Taiwanese networking giant said the security flaw could lead to bypassing firewall protection across Zyxel USG, ZyWALL, FLEX, ATP, VPN and NSG product lines.

Tracked as CVE-2022-0342 and with a critical severity score of 9.8, the vulnerability is described as an “authentication bypass” caused by a flaw in the appropriate access control mechanism.

The bug is present in some CGI programs embedded in firewall software.

“The flaw could allow an attacker to bypass authentication and gain administrative access to the device,” Zyxel said.

The following firmware is affected:

  • USG / ZyWALL: versions 4.20 to 4.70
  • USG-FLEX: versions 4.50 to 5.20
  • ATP: versions 4.32 to 5.20
  • VPN: versions 4.30 to 5.20
  • NSG: versions 1.20 through 1.33 (patch 4)

Zyxel has released patches for affected software and users should upgrade their builds to protected versions as soon as possible. The vendor notes that after investigating the vulnerability, patches have been made available for products in their support period. Users of older products should be aware that they can be vulnerable.

Alessandro Sgreccia of Tecnical Service SrL, along with Roberto Garcia and Victor Garcia of Innotec Security have been credited for reporting the bug.

Previous and related coverage

Do you have a tip? Safe contact via WhatsApp | Signal on +447713 025 499, or via Keybase: charlie0

Leave a Comment