Networking gear manufacturer Zyxel has warned customers of multiple vulnerabilities recently discovered in a number of firewalls, AP and AP controller products. The vulnerabilities can be exploited to steal various data from the devices, crash them, run arbitrary OS commands and disable multi-factor authentication.
In isolation, the vulnerabilities aren’t particularly threatening, but they can be chained together to perform a more devastating attack. Given that many large enterprises use Zyxel gear, the company has urged its customers to patch up their endpoints immediately.
The four flaws in question are tracked as CVE-2022-0734, a CSS vulnerability in the CGI component; CVE-2022-26531, an improper validation flaw in some CLI commands; CVE-2022-26532, a command injection flaw in some CLI commands; and CVE-2022-0910 (6.5), an authentication bypass vulnerability in the CGI component.
Numerous devices affected
The devices affected by the flaws include USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 AP controllers, and a range of Access Point products, including models of the NAP, NWA, WAC, and WAX series.
While the fixes are already available for most of the affected endpoints, administrators must ask their local service representative for AP controllers hotfix, as these are not available to the general public.
As BleepingComputer notes, US companies should make sure to patch up as soon as possible, given that they are heading into a holiday weekend. Threat actors are known to increase their activities during weekends and holidays, as those are the days when IT departments usually operate with a skeleton team.
Zyxel is a popular target for cybercrooks. Earlier this month, its VPN and firewall products were under attack, when a critical vulnerability tracked as CVE-2022-30525 – present in ATP, VPN and some USG FLEX series products – was discovered.
This flaw allowed threat actors to bypass authentication and achieve remote code execution.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba