Zyxel issues patches for security flaws affecting APs and controllers

Zyxel addresses four security vulnerabilities affecting firewalls and AP products

Firewall and AP devices can receive patches for medium and high severity rate flaws

Particular security flaws used to execute arbitrary operating system commands and steal select information potentially can be patched. Zyxel published the security advisory that warns administrators about these security flaws affecting the wide range of firewall, AP, and AP controller products.^[1]

These bugs are not rated critical, but the exploitation can create major issues once used in exploit chains. These vulnerabilities can be significant on their own without the abuse of threat actors.^[2] The company addressed the issue and noted that a thorough investigation revealed the particularly vulnerable products.

Hackers have exploited various critical vulnerabilities in the Zyxel firewall and VPN devices for business before.^[3] Successful abuse of the already patched flaws tracked as CVE-2022-30525 results in the remote attacker injecting arbitrary commands remotely without any authentication required, so threat actors can enable setting up a reverse shell.

The list of security vulnerabilities addressed with the latest patches

CVE-2022-0734. The cross-site scripting flaw in some firewall versions. This could be exploited to help attackers access information stored in the users' browsers. That data could be cookies or session tokens. This is the medium severity – 5.8 vulnerability.

CVE-2022-26531. Several input validation flaws in command-line interface command for some versions of the firewall and AP controllers, and other AP devices. Medium severity – 6.1 flaw that allows a locally authenticated attacker to cause a buffer overflow or the full system crash.

CVE-2022-26532. The command injection vulnerability in the packer-trace CLI command for some versions of the firewall, AP devices, and AP controller. This is the high severity bug – 7.8 that allows locally authenticated attackers to execute arbitrary OS commands.

CVE-2022-0910. The authentication bypass vulnerability in the CGI component affects particular firewall versions. Medium severity – 6.5. It allows attackers to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.

Available hotfixes and patches

These particular flaws affect USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500, NXC5500 AP controllers, and many Access Point products, including models like NAP, NWA, WAC, and WAX series. Zyxel has released the software patches for firewalls and AP devices. the particular hotfix for AP controllers affected by the CVE-2022-26531 and CVE-2022-26532 can be gotten by contacting the particular local Zyxel support teams.

For the particular firewalls, USG/ZyWALL addresses the issues with the latest firmware, version 4.72. USG FLEX, ATP, and VPN must upgrade to ZLD version 5.30, and NSG products receive the fix with the version 1.33 patch 5. These vulnerabilities are not critical, but it is recommended for the network admins, especially, to upgrade their devices as soon as possible. And do that always as soon as these patches for any issues get released.

Zyxel has dealt with critical command injection flaws in their device versions and these flaws are often abused by threat actors, so Cybersecurity and Infrastructure Security Agencies have already added the particular CVE-2022-30525 bug^[4] to the list of Known Vulnerabilities. These devices and vulnerabilities can create issues for US companies because these holidays and national festivities can be a great time for foreign or local attackers to hit.^[5]