in

Zyxel urges customers to patch critical firewall bypass vulnerability

Zyxel is urging customers to immediately patch a critical vulnerability in the vendor’s firewall software.  

In a security advisory published this week, the Taiwanese networking giant said the security flaw can lead to the circumvention of firewall protection in Zyxel USG, ZyWALL, FLEX, ATP, VPN, and NSG product lines. 

Tracked as CVE-2022-0342 and issued a critical severity score of 9.8, the vulnerability is described as an “authentication bypass” caused by a proper access control mechanism failure.

The bug is present in a number of CGI programs embedded in firewall software. 

“The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device,” Zyxel says. 

The following firmware is impacted: 

  • USG/ZyWALL: versions 4.20 through 4.70
  • USG FLEX: versions 4.50 through 5.20
  • ATP: versions 4.32 through 5.20
  • VPN: versions 4.30 through 5.20
  • NSG: versions 1.20 through 1.33 (Patch 4)

Zyxel has released patches for impacted software, and users should upgrade their builds to protected versions as soon as possible. The vendor notes that after investigating the vulnerability, patches have been made available for products in their support period. Legacy product users should be aware that they may be vulnerable. 

Alessandro Sgreccia from Tecnical Service SrL, alongside Innotec Security’s Roberto Garcia and Victor Garcia, have been credited for reporting the bug. 

See also


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0



Source: Information Technologies - zdnet.com

Government workers rely on Microsoft. That could be a security problem, Google claims

Is it OK to use text messages for 2-factor authentication? [Ask ZDNet]