Zyxel has released patches to address five vulnerabilities in two NAS products that have reached end-of-vulnerability-support. Successful exploitation of the vulnerabilities may result in command injection and remote code execution. The vulnerabilities have been given medium and critical severity ratings. Timothy Hjort from Outpost24 has discovered and reported the vulnerabilities to Zyxel. The security researcher … Continue reading “Zyxel Patches Multiple Vulnerabilities in NAS Products”
Tag: Zyxel
Zyxel Fixes Critical Firewall OS Command Injection Vulnerability (CVE-2022-30525)
Hackers are actively exploiting a recently patched critical command injection vulnerability (CVE-2022-30525) that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to inject arbitrary commands. Jake Baines … Continue reading “Zyxel Fixes Critical Firewall OS Command Injection Vulnerability (CVE-2022-30525)”
Backdoor Account in Zyxel Products (CVE-2020-29583)
On December 23rd, 2020, Zyxel published an advisory for a hardcoded credential vulnerability. More than 100,000 Zyxel firewalls, access point controllers and VPN gateways are prone to this vulnerability. Vulnerability Details Zyxel firewalls and AP controllers contain hardcoded admin-level backdoor account, which can grant attackers root access to devices via either the SSH interface or … Continue reading “Backdoor Account in Zyxel Products (CVE-2020-29583)”