Zyxel Patches a Critical Firewall Authentication Bypass Vulnerability

April 5, 2022

Zyxel Patches a Critical Firewall Authentication Bypass Vulnerability

Zyxel has released a security advisory addressing a critical authentication bypass vulnerability affecting several firewall models.

The Vulnerability

  • CVE-2022-0342 (CVSS 3.1: 9.8, Critical) – An authentication bypass vulnerability which could allow an attacker to bypass the web authentication and obtain administrative access of the device.

Vulnerable Products

The following Zyxel firewall series are affected:

  • ‘USG/ZyWALL’ – Firmware versions ZLD V4.20 through V4.70.
    • Fixed in ZLD V4.71.
  • ‘USG FLEX’ – Firmware versions ZLD V4.50 through V5.20.
    • Fixed in ZLD V5.21 Patch 1.
  • ‘ATP’ – ZLD V4.32 through V5.20.
    • Fixed in ZLD V5.21 Patch 1.
  • ‘VPN’ – ZLD V.4.30 through V5.20.
    • Fixed in ZLD V5.21.
  • ‘NSG’ – V1.20 through V1.33 Patch 4.
    • Fixed in Hotfix V1.33p4_WK11 (contact Zyxel for file).

Mitigation

CYREBRO urges all clients to implement relevant patches to affected products.

References: Zyxel Advisory

Sign Up for Updates