Zyxel has published a security update for administrators warning about multiple vulnerabilities in firewalls, access currents and access point controllers of its production.
Although vulnerabilities are not critical, they still pose a threat both by themselves and in conjunction with other vulnerabilities.
CVE-2022-0734 – cross-site scripting (XSS) in the CGI component. The vulnerability allows using a data theft script to intercept cookies and session tokens stored in the browser.
CVE-2022-26531 – insufficient validation of input data in some CLI commands. The vulnerability allows a locally authorized attacker to cause buffer overflows or system crashes.
CVE-2022-2653 – implementing commands in some CLI commands. The vulnerability allows a local authorized attacker to execute arbitrary commands on the OS.
CVE-2022-0910 – bypassing authentication in the CGI component. The vulnerability allows an attacker to disable two-factor authentication via an IPsec VPN client.
Vulnerabilities affect USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 access point controllers, as well as various access points, including models of the NAP, NWA, WAC and WAX series.
The manufacturer has released security updates for most of the affected models. However, urgent fixes for access point controllers are not publicly available, and administrators should request them from their local Zyxel representatives.
As for firewalls, a new firmware version 4.72 has been released for USG/ZyWALL. USG FLEX, ATP and VPN should be updated to ZLD version 5.30, and NSG products received a fix via v1.33 patch 5.