Zyxel has published a security update for administrators warning of multiple vulnerabilities in its firewalls, access currents, and access point controllers.
Although the vulnerabilities are not critical, they still pose a threat both on their own and in conjunction with other vulnerabilities.
CVE-2022-0734 – Cross-site scripting (XSS) in CGI component. The vulnerability allows a data stealing script to intercept cookies and session tokens stored in the browser.
CVE-2022-26531 – Insufficient input validation in some CLI commands. The vulnerability could allow a locally authorized attacker to cause buffer overflows or a system crash.
CVE-2022-2653 – Command injection in some CLI commands. The vulnerability allows a local authorized attacker to execute arbitrary commands on the OS.
CVE-2022-0910 – Authentication bypass in CGI component. The vulnerability allows an attacker to disable two-factor authentication through the IPsec VPN client.
The vulnerabilities affect USG/ZyWALL, USG FLEX, ATP, VPN, NSG firewalls, NXC2500 and NXC5500 access point controllers, and various access points, including NAP, NWA, WAC and WAX series models.
The manufacturer has released security updates for most of the affected models. However, Hotfixes for Access Point Controllers are not publicly available and administrators must request them from their local Zyxel representatives.
As for firewalls, a new firmware version 4.72 has been released for USG/ZyWALL. USG FLEX, ATP and VPN should be upgraded to ZLD 5.30 and NSG products received a fix via v1.33 patch 5.