Multiple vulnerabilities in Zyxel Firewalls, AP controllers and APs
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-0734 CVE-2022-26531 CVE-2022-26532 CVE-2022-0910 |
| CWE-ID | CWE-79 CWE-20 CWE-78 CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
USG series Client/Desktop applications / Antivirus software/Personal firewalls USG FLEX series Client/Desktop applications / Antivirus software/Personal firewalls VPN series Client/Desktop applications / Antivirus software/Personal firewalls ZyWALL Other software / Other software solutions ATP series Hardware solutions / Routers for home users NSG series Hardware solutions / Routers for home users NXC2500 Hardware solutions / Routers & switches, VoIP, GSM, etc NXC5500 Hardware solutions / Routers & switches, VoIP, GSM, etc NAP203 Hardware solutions / Routers & switches, VoIP, GSM, etc NAP303 Hardware solutions / Routers & switches, VoIP, GSM, etc NAP353 Hardware solutions / Routers & switches, VoIP, GSM, etc NWA50AX Hardware solutions / Routers & switches, VoIP, GSM, etc NWA55AXE Hardware solutions / Routers & switches, VoIP, GSM, etc NWA90AX Hardware solutions / Routers & switches, VoIP, GSM, etc NWA1123-AC-HD Hardware solutions / Routers & switches, VoIP, GSM, etc NWA1123-AC-PRO Hardware solutions / Routers & switches, VoIP, GSM, etc NWA5123-AC-HD Hardware solutions / Routers & switches, VoIP, GSM, etc WAX630S Hardware solutions / Routers & switches, VoIP, GSM, etc NWA110AX Hardware solutions / Firmware NWA210AX Hardware solutions / Firmware NWA1123ACv3 Hardware solutions / Firmware NWA1302-AC Hardware solutions / Firmware WAC500H Hardware solutions / Firmware WAC500 Hardware solutions / Firmware WAC5302D-S Hardware solutions / Firmware WAC5302D-Sv2 Hardware solutions / Firmware WAC6103D-I Hardware solutions / Firmware WAC6303D-S Hardware solutions / Firmware WAC6502D-E Hardware solutions / Firmware WAC6502D-S Hardware solutions / Firmware WAC6503D-S Hardware solutions / Firmware WAC6553D-E Hardware solutions / Firmware WAC6552D-S Hardware solutions / Firmware WAX510D Hardware solutions / Firmware WAX610D Hardware solutions / Firmware WAX650S Hardware solutions / Firmware |
| Vendor | ZyXEL Communications Corp. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU63555
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-0734
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the CGI program. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSG series: 4.35 - 4.70
ZyWALL: 4.35 - 4.70
USG FLEX series: 4.50 - 5.20
ATP series: 4.35 - 5.20
VPN series: 4.35 - 5.20
CPE2.3- cpe:2.3:a:zyxel_communications_corp:usg_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.35:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.70:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.35:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.70:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:4.50:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:5.20:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:atp_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:vpn_series:*:*:*:*:*:*:*:*
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU63561
Risk: Low
CVSSv4.0: 5.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-26531
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in some CLI commands. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSG series: 4.09 - 4.71
ZyWALL: 4.09 - 4.71
USG FLEX series: 4.50 - 5.21
ATP series: 4.32 - 5.21
VPN series: 5.21 - 5.30
NSG series: 1.00 - 1.33 Patch 4
NXC2500: 6.10(AAIG.3)
NXC5500: 6.10(AAOS.3)
NAP203: 6.25(ABFA.7)
NAP303: 6.25(ABEX.7)
NAP353: 6.25(ABEY.7)
NWA50AX: 6.25(ABYW.5)
NWA55AXE: 6.25(ABZL.5)
NWA90AX: 6.27(ACCV.2)
NWA110AX: 6.30(ABTG.2)
NWA210AX: 6.30(ABTD.2)
NWA1123-AC-HD: 6.25(ABIN.6)
NWA1123-AC-PRO: 6.25(ABHD.7)
NWA1123ACv3: 6.30(ABVT.2)
NWA1302-AC: 6.25(ABKU.6)
NWA5123-AC-HD: 6.25(ABIM.6)
WAC500H: 6.30(ABWA.2)
WAC500: 6.30(ABVS.2)
WAC5302D-S: 6.10(ABFH.10)
WAC5302D-Sv2: 6.25(ABVZ.6)
WAC6103D-I: 6.25(AAXH.7)
WAC6303D-S: 6.25(ABGL.6)
WAC6502D-E: 6.25(AASD.7)
WAC6502D-S: 6.25(AASE.7)
WAC6503D-S: 6.25(AASF.7)
WAC6553D-E: 6.25(AASG.7)
WAC6552D-S: 6.25(ABIO.7)
WAX510D: 6.30(ABTF.2)
WAX610D: 6.30(ABTE.2)
WAX630S: 6.30(ABZD.2)
WAX650S: 6.30(ABRM.2)
CPE2.3- cpe:2.3:a:zyxel_communications_corp:usg_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.09:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.09:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:4.50:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:5.21:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:atp_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:vpn_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nsg_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nxc2500:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nxc5500:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nap203:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nap303:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nap353:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa50ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa55axe:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa90ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa110ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa210ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1123-ac-hd:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1123-ac-pro:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1123acv3:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1302-ac:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa5123-ac-hd:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac500h:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac500:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac5302d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac5302d-sv2:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6103d-i:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6303d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6502d-e:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6502d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6503d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6553d-e:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6552d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax510d:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax610d:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax630s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax650s:6.30(ABRM.2):*:*:*:*:*:*:*
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) OS Command Injection
EUVDB-ID: #VU63562
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-26532
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the "packet-trace" CLI command. A local user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSG series: 4.09 - 4.71
ZyWALL: 4.09 - 4.71
USG FLEX series: 4.50 - 5.21
ATP series: 4.32 - 5.21
VPN series: 5.21 - 5.30
NSG series: 1.00 - 1.33 Patch 4
NXC2500: 6.10(AAIG.3)
NXC5500: 6.10(AAOS.3)
NAP203: 6.25(ABFA.7)
NAP303: 6.25(ABEX.7)
NAP353: 6.25(ABEY.7)
NWA50AX: 6.25(ABYW.5)
NWA55AXE: 6.25(ABZL.5)
NWA90AX: 6.27(ACCV.2)
NWA110AX: 6.30(ABTG.2)
NWA210AX: 6.30(ABTD.2)
NWA1123-AC-HD: 6.25(ABIN.6)
NWA1123-AC-PRO: 6.25(ABHD.7)
NWA1123ACv3: 6.30(ABVT.2)
NWA1302-AC: 6.25(ABKU.6)
NWA5123-AC-HD: 6.25(ABIM.6)
WAC500H: 6.30(ABWA.2)
WAC500: 6.30(ABVS.2)
WAC5302D-S: 6.10(ABFH.10)
WAC5302D-Sv2: 6.25(ABVZ.6)
WAC6103D-I: 6.25(AAXH.7)
WAC6303D-S: 6.25(ABGL.6)
WAC6502D-E: 6.25(AASD.7)
WAC6502D-S: 6.25(AASE.7)
WAC6503D-S: 6.25(AASF.7)
WAC6553D-E: 6.25(AASG.7)
WAC6552D-S: 6.25(ABIO.7)
WAX510D: 6.30(ABTF.2)
WAX610D: 6.30(ABTE.2)
WAX630S: 6.30(ABZD.2)
WAX650S: 6.30(ABRM.2)
CPE2.3- cpe:2.3:a:zyxel_communications_corp:usg_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.09:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.09:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:4.50:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:5.21:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:atp_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:vpn_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nsg_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nxc2500:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nxc5500:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nap203:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nap303:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nap353:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa50ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa55axe:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa90ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa110ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa210ax:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1123-ac-hd:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1123-ac-pro:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1123acv3:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa1302-ac:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:nwa5123-ac-hd:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac500h:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac500:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac5302d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac5302d-sv2:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6103d-i:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6303d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6502d-e:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6502d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6503d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6553d-e:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wac6552d-s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax510d:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax610d:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax630s:*:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:wax650s:6.30(ABRM.2):*:*:*:*:*:*:*
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU63569
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-0910
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the CGI program. A remote attacker can downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.
MitigationInstall updates from vendor's website.
Vulnerable software versionsUSG series: 4.32 - 4.71
ZyWALL: 4.32 - 4.71
USG FLEX series: 4.50 - 5.21
ATP series: 4.32 - 5.21
VPN series: 4.32 - 5.21
CPE2.3- cpe:2.3:a:zyxel_communications_corp:usg_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.32:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_series:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.32:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:zywall:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:4.50:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:usg_flex_series:5.21:*:*:*:*:*:*:*
- cpe:2.3:h:zyxel_communications_corp:atp_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:zyxel_communications_corp:vpn_series:*:*:*:*:*:*:*:*
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
