Zyxel patches critical vulnerability that can allow Firewall and VPN hijacks


Hardware manufacturer Zyxel has issued patches for a highly critical security flaw that gives malicious hackers the ability to take control of a wide range of firewalls and VPN products the company sells to businesses.

The flaw is an authentication bypass vulnerability that stems from a lack of a proper access-control mechanism in the CGI (common gateway interface) of affected devices, the company said. Access control refers to a set of policies that rely on passwords and other forms of authentication to ensure resources or data are available only to authorized people. The vulnerability is tracked as CVE-2022-0342.

“The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device,” Zyxel said in an advisory. The severity rating is 9.8 out of a possible 10.

The vulnerability is present in the following devices:

Affected series Affected firmware version Patch availability
USG/ZyWALL ZLD V4.20 through ZLD V4.70 ZLD V4.71
USG FLEX ZLD V4.50 through ZLD V5.20 ZLD V5.21 Patch 1
ATP ZLD V4.32 through ZLD V5.20 ZLD V5.21 Patch 1
VPN ZLD V4.30 through ZLD V5.20 ZLD V5.21
NSG V1.20 through V1.33 Patch 4
  • Hotfix V1.33p4_WK11* available now
  • Standard patch V1.33 Patch 5 in May 2022

The advisory comes after other hardware makers have recently reported their products have similar vulnerabilities that are actively being exploited in the wild. Sophos, for instance, said that an authentication bypass vulnerability allowing remote code execution was recently fixed in the Sophos Firewall v18.5 MR3 (18.5.3) and older. CVE-2022-1040 was already being used to target companies, primarily in Asia.

Trend Micro also warned that hackers were exploiting a vulnerability in its Trend Micro Apex Central that made it possible to upload and execute malicious files. The flaw is tracked as CVE-2022-26871.

Zyxel credited the discovery of CVE-2022-0342 to Alessandro Sgreccia from Tecnical Service SrL and Roberto Garcia H and Victor Garcia R from Innotec Security. There are no known reports of the vulnerabilities being actively exploited.