MidnightBSD

Advisories for zyxel

CVE-2001-1135 HIGH

ZyXEL Prestige 642R and 642R-I routers do not filter the routers' Telnet and FTP ports on the external WAN interface from inside access, allowing someone on an internal computer to reconfigure the router, if the password is known.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 642r
CVE-2001-1194 MEDIUM

Zyxel Prestige 681 and 1600 SDSL Routers allow remote attackers to cause a denial of service via malformed packets with (1) an IP length less than actual packet size, or (2) fragmented packets whose size exceeds 64 kilobytes after reassembly.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige_681 *
zyxel prestige_1600 *
CVE-2002-0438 MEDIUM

ZyXEL ZyWALL 10 before 3.50 allows remote attackers to cause a denial of service via an ARP packet with the firewall's IP address and an incorrect MAC address, which causes the firewall to disable the LAN interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel zywall10 3.20_wa0
zyxel zywall10 3.24_wa0
zyxel zywall10 3.20_wa1
zyxel zywall10 3.50_wa1
zyxel zywall10 3.24_wa2
zyxel zywall10 3.24_wa1
CVE-2002-1071 MEDIUM

ZyXEL Prestige 642R allows remote attackers to cause a denial of service in the Telnet, FTP, and DHCP services (crash) via a TCP packet with both the SYN and ACK flags set.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 310
zyxel prestige 642r
CVE-2002-1072 MEDIUM

ZyXEL Prestige 642R 2.50(FA.1) and Prestige 310 V3.25(M.01), allows remote attackers to cause a denial of service via an oversized, fragmented "jolt" style ICMP packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 310
zyxel prestige 642r
CVE-2004-0670 MEDIUM

Prestige 650HW-31 running Rompager 4.7 software allows remote attackers to cause a denial of service (device reboot) via a long password.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 650hw_31
zyxel prestige 650r_11
CVE-2004-1540 MEDIUM

ZyXEL Prestige 623, 650, and 652 HW Routers, and possibly other versions, with HTTP Remote Administration enabled, does not require a password to access rpFWUpload.html, which allows remote attackers to reset the router configuration file.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 650hw_31
zyxel prestige 645r_a1
zyxel prestige 650hw
zyxel prestige 650r
zyxel zynos 3.40
zyxel zynos is.3
zyxel zynos is.5
zyxel prestige 650h
CVE-2004-1684 MEDIUM

Zyxel P681 running ZyNOS Vt020225a contains portions of memory in an ARP request, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 681
zyxel zynos vt020225a
CVE-2004-1789 MEDIUM

Cross-site scripting (XSS) vulnerability in the web management interface in ZyWALL 10 4.07 allows remote attackers to inject arbitrary web script or HTML via the rpAuth_1 page.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel zywall10 3.50_wa2
zyxel zywall10 4.07
zyxel zywall10 3.20_wa0
zyxel zywall10 3.24_wa0
zyxel zywall10 3.20_wa1
zyxel zywall10 3.50_wa1
zyxel zywall10 3.24_wa2
zyxel zywall10 3.24_wa1
CVE-2005-0328 MEDIUM

Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest firmware, allows remote attackers on the WAN to obtain the IP address of the LAN side interface by pinging a valid LAN IP address, which generates an ARP reply from the WAN address side that maps the LAN IP address to the WAN's MAC address.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige 310
zyxel prestige 324
netgear rt314 *
zyxel prestige 314
netgear rt311 *
CVE-2005-1717 MEDIUM

ZyXEL Prestige 650R-31 router running ZyNOS FW v3.40(KO.1) allows remote attackers to cause a denial of service (CPU consumption and network loss) via crafted fragmented IP packets.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige_650r-31 3.40_ko.1
CVE-2005-3724 MEDIUM

Zyxel P2000W Version 1 VOIP WIFI Phone Wj.00.10 allows remote attackers to obtain sensitive information and possibly cause a denial of service via a direct connection to UDP port 9090, which is undocumented and does not require authentication.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zyxel prestige_2000w_v.1voip_wi-fi_phone wj.00.10
zyxel p2000w_version_1_voip_wifi_phone wj.00.10
CVE-2005-3725 MEDIUM

Zyxel P2000W Version 1 VOIP WIFI Phone Wj.00.10 uses hardcoded IP addresses for its DNS servers, which could allow remote attackers to cause a denial of service or hijack Zyxel phones by attacking or spoofing the hardcoded DNS servers. NOTE: it could be argued that this issue reflects an inherent limitation of DNS itself, so perhaps it should not be included in CVE.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel prestige_2000w_v.1voip_wi-fi_phone wj.00.10
CVE-2006-0302 MEDIUM

ZyXel P2000W VoIP 802.11b Wireless Phone running firmware WV.00.02 allows remote attackers to obtain sensitive information, such as MAC address and software version, by directly accessing UDP port 9090.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel p2000w_version_2_voip_wifi_phone wv.00.02
CVE-2006-2562 HIGH

ZyXEL P-335WT router allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter, which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zyxel p-335wt_router *
CVE-2008-1160 HIGH

ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel zywall_1050_firmware -
CVE-2008-1526 MEDIUM

ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-916,

Products Affected

Vendor Product Version
zyxel p-660h-t1_firmware *
zyxel p-660hw_d1_firmware *
zyxel p-660hw_d3_firmware *
zyxel p-660hw_t3_firmware 3.40(pe9)
zyxel p-662hw-d3_firmware *
zyxel p-660h-67_firmware *
zyxel p-660h-d3_firmware 3.40(pe9)
zyxel p-660h-61_firmware *
zyxel p-663hn-51_firmware *
zyxel p-660hw_d3_firmware 3.40(pe9)
zyxel p-661hw-d1_firmware 3.40(pe9)
zyxel p-661hnu-f3_firmware *
zyxel p-662hw-d_firmware *
zyxel p-660hn-51_firmware *
zyxel p-661h_firmware 3.40(pe9)
zyxel p-662h-61_firmware *
zyxel p-660h-d1_firmware *
zyxel p-662hw-d_firmware 3.40(pe9)
zyxel p-661hnu-f1_firmware 3.40(pe9)
zyxel p-660h-67_firmware 3.40(pe9)
zyxel p-660h-61_firmware 3.40(pe9)
zyxel p-661hw-d1_firmware *
zyxel p-660hn-51_firmware 3.40(pe9)
zyxel p-660hw_t3_firmware *
zyxel p-661h_firmware *
zyxel p-663hn-51_firmware 3.40(pe9)
zyxel p-660h-d3_firmware *
zyxel p-661hnu-f3_firmware 3.40(pe9)
zyxel p-662hw-d3_firmware 3.40(pe9)
zyxel p-662h-61_firmware 3.40(pe9)
zyxel p-660h-63_firmware *
zyxel p-660hw_d1_firmware 3.40(pe9)
zyxel p-661hnu-f1_firmware *
zyxel p-660h-63_firmware 3.40(pe9)
zyxel p-660h-d1_firmware 3.40(pe9)
zyxel p-662hw-d1_firmware *
zyxel p-662hw-d1_firmware 3.40(pe9)
zyxel p-660h-t1_firmware 3.40(pe9)
CVE-2011-0746 MEDIUM

Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel o2_dsl_router_classic *
CVE-2011-4504 HIGH

The UPnP IGD implementation in the Pseudo ICS UPnP software on the ZyXEL P-330W allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-16,

Products Affected

Vendor Product Version
zyxel p-330w_router *
genmei_mori pseudoics 0.3
genmei_mori pseudoics 0.1
genmei_mori pseudoics 0.2
CVE-2013-3588 HIGH

The web management interface on Zyxel P660 devices allows remote attackers to cause a denial of service (reboot) via a flood of TCP SYN packets.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zyxel p-660h-t3 v2
zyxel p-660h-61 -
zyxel p-660h-67 -
zyxel p-660h-d1 -
zyxel p-660h-t1 v2
zyxel p-660h-t1 -
zyxel p-660hw_d1 v2
zyxel p-660hw_d3 -
zyxel p-660h-d3 -
zyxel p-660hw_t3 -
zyxel p-660h-63 -
zyxel p-660hw_d1 -
zyxel p-660hw _t1
zyxel p-660hw_t3 v2
CVE-2013-6786 MEDIUM

Cross-site scripting (XSS) vulnerability in Allegro RomPager before 4.51, as used on the ZyXEL P660HW-D1, Huawei MT882, Sitecom WL-174, TP-LINK TD-8816, and D-Link DSL-2640R and DSL-2641R, when the "forbidden author header" protection mechanism is bypassed, allows remote attackers to inject arbitrary web script or HTML by requesting a nonexistent URI in conjunction with a crafted HTTP Referer header that is not properly handled in a 404 page. NOTE: there is no CVE for a "URL redirection" issue that some sources list separately.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
allegrosoft rompager *
dlink dsl-2640r -
huawei mt882 -
tp-link td-8816 -
dlink dsl-2641r -
zyxel p-660hw_d1 -
sitecom wl-174 -
CVE-2014-0353 MEDIUM

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to bypass authentication by using %2F sequences in place of / (slash) characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zyxel n300_netusb_nbg-419n_firmware 1.00(bfq_6)c0
zyxel n300_netusb_nbg-419n -
CVE-2014-0354 HIGH

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 has a hardcoded password of qweasdzxc for an unspecified account, which allows remote attackers to obtain index.asp login access via an HTTP request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
zyxel n300_netusb_nbg-419n_firmware 1.00(bfq_6)c0
zyxel n300_netusb_nbg-419n -
CVE-2014-0355 HIGH

Multiple stack-based buffer overflows on the ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allow man-in-the-middle attackers to execute arbitrary code via (1) a long temp attribute in a yweather:condition element in a forecastrss file that is processed by the checkWeather function; the (2) WeatherCity or (3) WeatherDegree variable to the detectWeather function; unspecified input to the (4) UpnpAddRunRLQoS, (5) UpnpDeleteRunRLQoS, or (6) UpnpDeletePortCheckType function; or (7) the SET COUNTRY udps command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
zyxel n300_netusb_nbg-419n_firmware 1.00(bfq_6)c0
zyxel n300_netusb_nbg-419n -
CVE-2014-0356 HIGH

The ZyXEL Wireless N300 NetUSB NBG-419N router with firmware 1.00(BFQ.6)C0 allows remote attackers to execute arbitrary code via shell metacharacters in input to the (1) detectWeather, (2) set_language, (3) SystemCommand, or (4) NTPSyncWithHost function in management.c, or a (5) SET COUNTRY, (6) SET WLAN SSID, (7) SET WLAN CHANNEL, (8) SET WLAN STATUS, or (9) SET WLAN COUNTRY udps command.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel n300_netusb_nbg-419n_firmware 1.00(bfq_6)c0
zyxel n300_netusb_nbg-419n -
CVE-2014-4162 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Zyxel P-660HW-T1 (v3) wireless router allow remote attackers to hijack the authentication of administrators for requests that change the (1) wifi password or (2) SSID via a request to Forms/WLAN_General_1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel p-660hw _t1
CVE-2014-7277 MEDIUM

Cross-site scripting (XSS) vulnerability in the login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00(AADY.4)C0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified "welcome message" form data that is improperly handled during rendering of the loginMessage list item, a different vulnerability than CVE-2014-7278.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel sbg3300-n -
zyxel sbg3300-n_firmware *
CVE-2014-7278 MEDIUM

The login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00(AADY.4)C0 and earlier allows remote attackers to cause a denial of service (persistent web-interface outage) via JavaScript code within unspecified "welcome message" form data that is improperly handled during use for the loginMsg variable's value, a different vulnerability than CVE-2014-7277.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zyxel sbg3300-n -
zyxel sbg3300-n_firmware *
CVE-2015-0718 HIGH

Cisco NX-OS 4.0 through 6.1 on Nexus 1000V 3000, 4000, 5000, 6000, and 7000 devices and Unified Computing System (UCS) platforms allows remote attackers to cause a denial of service (TCP stack reload) by sending crafted TCP packets to a device that has a TIME_WAIT TCP session, aka Bug ID CSCub70579.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
cisco unified_computing_system 2.1_3c
cisco unified_computing_system 2.0_3b
zyxel gs1900-10hp_firmware *
cisco unified_computing_system 1.4_3s
zzinc keymouse_firmware 3.08
cisco unified_computing_system 2.2_1e
cisco unified_computing_system 1.4_3u
cisco unified_computing_system 1.4_3y
cisco unified_computing_system 2.2_2c
cisco unified_computing_system 2.0_5c
cisco unified_computing_system 1.4_1i
cisco unified_computing_system 2.0_2r
cisco unified_computing_system 2.2_1d
cisco unified_computing_system 1.4_4l
cisco unified_computing_system 2.0_1s
cisco unified_computing_system 2.1_2a
cisco unified_computing_system 2.0_1w
netgear jr6150_firmware *
cisco unified_computing_system 2.0_5b
cisco unified_computing_system 2.1_3a
cisco unified_computing_system 1.4_3q
cisco unified_computing_system 2.0_1q
cisco nx-os base
cisco unified_computing_system 2.1_3b
cisco unified_computing_system 1.4_1j
cisco unified_computing_system 1.4_4g
cisco unified_computing_system 2.0_3c
cisco unified_computing_system 2.1_1b
cisco unified_computing_system 1.4_4i
cisco unified_computing_system 1.5_base
cisco unified_computing_system 2.2_2e
cisco unified_computing_system 1.4_3l
cisco unified_computing_system 2.0_5e
cisco unified_computing_system 2.1_2c
cisco unified_computing_system 2.1_1d
cisco unified_computing_system 2.0_2q
cisco unified_computing_system 2.2_2d
cisco unified_computing_system 1.4_3i
cisco unified_computing_system 2.1_3f
cisco unified_computing_system 2.0_5a
cisco unified_computing_system 2.1_3d
cisco unified_computing_system 2.0_1t
cisco unified_computing_system 1.4_4k
cisco unified_computing_system 1.4_4j
cisco unified_computing_system 2.1_1e
cisco unified_computing_system 2.1_3e
cisco unified_computing_system 2.1_2d
cisco unified_computing_system 1.4_4f
cisco unified_computing_system 2.2_1b
cisco unified_computing_system 2.0_2m
cisco unified_computing_system 2.0_5d
cisco unified_computing_system 1.4_1m
cisco unified_computing_system 1.4_3m
cisco unified_computing_system 2.1_1a
cisco unified_computing_system 2.0_5f
cisco unified_computing_system 2.0_4b
cisco unified_computing_system 2.0_4d
cisco unified_computing_system 1.6_base
cisco unified_computing_system 2.2_1c
sun opensolaris snv_124
cisco unified_computing_system 2.0_3a
cisco unified_computing_system 2.0_1x
cisco unified_computing_system 2.0_4a
cisco unified_computing_system 2.1_1f
samsung x14j_firmware t-ms14jakucb-1102.5
CVE-2015-5987 MEDIUM

Belkin F9K1102 2 devices with firmware 2.10.17 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2015-5988 HIGH

The web management interface on Belkin F9K1102 2 devices with firmware 2.10.17 has a blank password, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2015-5989 HIGH

Belkin F9K1102 2 devices with firmware 2.10.17 rely on client-side JavaScript code for authorization, which allows remote attackers to obtain administrative privileges via certain changes to LockStatus and Login_Success values.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2015-5990 MEDIUM

Cross-site request forgery (CSRF) vulnerability on Belkin F9K1102 2 devices with firmware 2.10.17 allows remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2015-6016 HIGH

ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0), PMG5318-B20A devices with firmware 1.00AANC0b5, and NBG-418N devices have a default password of 1234 for the admin account, which allows remote attackers to obtain administrative access via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
zyxel pmg5318-b20a_firmware v100aanc0b5
zyxel zynos_firmware 3.40(axh.0)
zyxel nbg-418n -
CVE-2015-6017 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Forms/rpAuth_1 on ZyXEL P-660HW-T1 2 devices with ZyNOS firmware 3.40(AXH.0) allow remote attackers to inject arbitrary web script or HTML via the (1) LoginPassword or (2) hiddenPassword parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel p-660hw-t1_v2_firmware 3.40(axh.0)
CVE-2015-6018 HIGH

The diagnostic-ping implementation on ZyXEL PMG5318-B20A devices with firmware before 1.00(AANC.2)C0 allows remote attackers to execute arbitrary commands via the PingIPAddr parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zyxel pmg5318-b20a_firmware *
CVE-2015-6019 MEDIUM

The management portal on ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 does not terminate sessions upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel pmg5318-b20a_firmware v100aanc0b5
CVE-2015-6020 HIGH

ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 allow remote authenticated users to obtain administrative privileges by leveraging access to the user account.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
zyxel pmg5318-b20a_firmware v100aanc0b5
CVE-2015-6260 HIGH

Cisco NX-OS 7.1(1)N1(1) on Nexus 5500, 5600, and 6000 devices does not properly validate PDUs in SNMP packets, which allows remote attackers to cause a denial of service (SNMP application restart) via a crafted packet, aka Bug ID CSCut84645.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2015-6312 HIGH

Cisco TelePresence Server 3.1 on 7010, Mobility Services Engine (MSE) 8710, Multiparty Media 310 and 320, and Virtual Machine (VM) devices allows remote attackers to cause a denial of service (device reload) via malformed STUN packets, aka Bug ID CSCuv01348.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
netgear jr6150_firmware *
dell emc_powerscale_onefs 8.2.2
zyxel gs1900-10hp_firmware *
zzinc keymouse_firmware 3.08
CVE-2015-6313 HIGH

Cisco TelePresence Server 4.1(2.29) through 4.2(4.17) on 7010; Mobility Services Engine (MSE) 8710; Multiparty Media 310, 320, and 820; and Virtual Machine (VM) devices allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted HTTP requests that are not followed by an unspecified negotiation, aka Bug ID CSCuv47565.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
zzinc keymouse_firmware 3.08
sun opensolaris snv_124
CVE-2015-6398 HIGH

Cisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switches with software before 11.0(1c) allow remote attackers to cause a denial of service (device reload) via an IPv4 ICMP packet with the IP Record Route option, aka Bug ID CSCuq57512.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2015-7256 MEDIUM

ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-B30A, and VSG1435-B101 DSL CPEs; PMG5318-B20A GPONs; SBG3300-N000, SBG3300-NB00, and SBG3500-N000 small business gateways; GS1900-8 and GS1900-24 switches; and C1000Z, Q1000, FR1000Z, and P8702N project models use non-unique X.509 certificates and SSH host keys.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
zyxel nwa1123-ac_firmware -
zyxel vmg1312-b30a_firmware -
zyxel fr1000z_firmware -
zyxel nwa1100-n_firmware -
zyxel vmg1312-b10a_firmware -
zyxel vsg1435-b101_firmware -
zyxel sbg3500-n000_firmware -
zyxel gs1900-8_firmware -
zyxel p8702n_firmware -
zyxel vmg4380-b10a_firmware -
zyxel vmg8924-b10a_firmware -
zyxel vmg8324-b10a_firmware -
zyxel vmg8924-b30a_firmware -
zyxel c1000z_firmware -
zyxel sbg3300-nb00_firmware -
zyxel p-660hn-51_firmware -
zyxel gs1900-24_firmware -
zyxel nwa1100-nh_firmware -
zyxel p-663hn-51_firmware -
zyxel nwa1121-ni_firmware -
zyxel q1000_firmware -
zyxel nwa1123-ni_firmware -
zyxel vmg1312-b30b_firmware -
zyxel pmg5318-b20a_firmware -
zyxel sbg3300-n000_firmware -
CVE-2015-7283 HIGH

The web administration interface on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 has a default password of 1234 for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware 1.00(aadz.3)c0
CVE-2015-7284 MEDIUM

Cross-site request forgery (CSRF) vulnerability on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 allows remote attackers to hijack the authentication of arbitrary users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel nbg-418n *
zyxel nbg-418n_firmware 1.00(aadz.3)c0
CVE-2016-10227 HIGH

Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial of service (CPU consumption) via a flood of ICMPv4 Port Unreachable packets.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
zyxel nwa3560-n_firmware -
zyxel usg50_firmware -
CVE-2016-10401 HIGH

ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-255,

Products Affected

Vendor Product Version
zyxel pk5001z_firmware -
CVE-2016-1302 HIGH

Cisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3h) and 1.1 before 1.1(1j) and Nexus 9000 ACI Mode switches with software before 11.0(3h) and 11.1 before 11.1(1j) allow remote authenticated users to bypass intended RBAC restrictions via crafted REST requests, aka Bug ID CSCut12998.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
samsung x14j_firmware t-ms14jakucb-1102.5
cisco nx-os base
zzinc keymouse_firmware 3.08
sun opensolaris snv_124
CVE-2016-1307 MEDIUM

The Openfire server in Cisco Finesse Desktop 10.5(1) and 11.0(1) and Unified Contact Center Express 10.6(1) has a hardcoded account, which makes it easier for remote attackers to obtain access via an XMPP session, aka Bug ID CSCuw79085.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-255,CWE-287,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
zzinc keymouse_firmware 3.08
CVE-2016-1317 MEDIUM

Cisco Unified Communications Manager 11.5(0.98000.480) allows remote authenticated users to obtain sensitive database table-name and entity-name information via a direct request to an unspecified URL, aka Bug ID CSCuy11098.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
CVE-2016-1319 MEDIUM

Cisco Unified Communications Manager (aka CallManager) 9.1(2.10000.28), 10.5(2.10000.5), 10.5(2.12901.1), and 11.0(1.10000.10); Unified Communications Manager IM & Presence Service 10.5(2); Unified Contact Center Express 11.0(1); and Unity Connection 10.5(2) store a cleartext encryption key, which allows local users to obtain sensitive information via unspecified vectors, aka Bug ID CSCuv85958.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
samsung x14j_firmware t-ms14jakucb-1102.5
zzinc keymouse_firmware 3.08
sun opensolaris snv_124
CVE-2016-1329 HIGH

Cisco NX-OS 6.0(2)U6(1) through 6.0(2)U6(5) on Nexus 3000 devices and 6.0(2)A6(1) through 6.0(2)A6(5) and 6.0(2)A7(1) on Nexus 3500 devices has hardcoded credentials, which allows remote attackers to obtain root privileges via a (1) TELNET or (2) SSH session, aka Bug ID CSCuy25800.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zyxel gs1900-10hp_firmware *
samsung x14j_firmware t-ms14jakucb-1102.5
zzinc keymouse_firmware 3.08
sun opensolaris snv_124
CVE-2016-1344 HIGH

The IKEv2 implementation in Cisco IOS 15.0 through 15.6 and IOS XE 3.3 through 3.17 allows remote attackers to cause a denial of service (device reload) via fragmented packets, aka Bug ID CSCux38417.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
cisco ios_xe 3.9s_3.9.2s
cisco ios_xe 3.14s_3.14.3s
cisco ios_xe 3.4s_3.4.1s
cisco ios_xe 3.5e_3.5.2e
cisco ios_xe 3.3xo_3.3.1xo
cisco ios_xe 3.7s_3.7.2s
cisco ios_xe 3.7s_3.7.0s
cisco ios_xe 3.4s_3.4.4s
cisco ios_xe 3.7s_3.7.4as
cisco ios_xe 3.14s_3.14.1s
cisco ios_xe 3.16s_3.16.0s
cisco ios_xe 3.7s_3.7.2ts
netgear jr6150_firmware *
cisco ios_xe 3.11s_3.11.2s
cisco ios_xe 3.14s_3.14.2s
cisco ios_xe 3.3xo_3.3.0xo
cisco ios_xe 3.4sg_3.4.0sg
cisco ios_xe 3.7s_3.7.1s
cisco ios_xe 3.4s_3.4.2s
cisco ios_xe 3.8s_3.8.1s
cisco ios_xe 3.12s_3.12.0s
cisco ios_xe 3.3s_3.3.2s
cisco ios_xe 3.6e_3.6.2ae
cisco ios_xe 3.8s_3.8.0s
cisco ios_xe 3.3sg_3.3.1sg
cisco ios_xe 3.4s_3.4.3s
cisco ios_xe 3.8e_3.8.0e
cisco ios_xe 3.10s_3.10.3s
cisco ios_xe 3.5e_3.5.1e
cisco ios_xe 3.11s_3.11.3s
cisco ios_xe 3.4s_3.4.5s
cisco ios_xe 3.9s_3.9.0as
cisco ios_xe 3.17s_3.17.0s
cisco ios_xe 3.10s_3.10.5s
cisco ios_xe 3.8e_3.8.1e
cisco ios_xe 3.16s_3.16.1s
cisco ios_xe 3.3s_3.3.1s
cisco ios_xe 3.7s_3.7.5s
cisco ios_xe 3.6s_3.6.1s
cisco ios_xe 3.16s_3.16.0cs
cisco ios_xe 3.13s_3.13.4s
cisco ios_xe 3.12s_3.12.3s
cisco ios_xe 3.13s_3.13.2as
cisco ios_xe 3.10s_3.10.2s
cisco ios_xe 3.5s_3.5.0s
cisco ios_xe 3.3s_3.3.0s
cisco ios_xe 3.8s_3.8.2s
cisco ios_xe 3.15s_3.15.0s
zyxel gs1900-10hp_firmware *
cisco ios_xe 3.6e_3.6.2e
cisco ios_xe 3.6s_3.6.0s
zzinc keymouse_firmware 3.08
cisco ios_xe 3.9s_3.9.1s
cisco ios_xe 3.4s_3.4.0s
cisco ios_xe 3.11s_3.11.1s
cisco ios_xe 3.4s_3.4.0as
cisco ios_xe 3.4sg_3.4.3sg
cisco ios_xe 3.6e_3.6.3e
lenovo thinkcentre_e75s_firmware *
cisco ios_xe 3.16s_3.16.1as
cisco ios_xe 3.10s_3.10.6s
cisco ios_xe 3.5e_3.5.0e
cisco ios_xe 3.7s_3.7.4s
cisco ios_xe 3.15s_3.15.1s
cisco ios_xe 3.7s_3.7.3s
cisco ios_xe 3.15s_3.15.1cs
cisco ios_xe 3.13s_3.13.0as
cisco ios_xe 3.13s_3.13.2s
cisco ios_xe 3.10s_3.10.1xbs
cisco ios_xe 3.15s_3.15.2s
cisco ios_xe 3.4s_3.4.6s
cisco ios_xe 3.4sg_3.4.1sg
cisco ios_xe 3.6e_3.6.1e
cisco ios_xe 3.6s_3.6.2s
cisco ios_xe 3.7e_3.7.0e
cisco ios_xe 3.7e_3.7.3e
cisco ios_xe 3.12s_3.12.4s
cisco ios_xe 3.7s_3.7.6s
cisco ios_xe 3.13s_3.13.0s
cisco ios_xe 3.14s_3.14.0s
cisco ios_xe 3.9s_3.9.1as
cisco ios_xe 3.3sg_3.3.0sg
cisco ios_xe 3.4sg_3.4.6sg
cisco ios_xe 3.7s_3.7.7s
cisco ios_xe 3.13s_3.13.3s
cisco ios_xe 3.4sg_3.4.5sg
cisco ios_xe 3.5s_3.5.1s
cisco ios_xe 3.10s_3.10.1s
cisco ios_xe 3.5e_3.5.3e
cisco ios_xe 3.13s_3.13.1s
cisco ios_xe 3.11s_3.11.0s
cisco ios_xe 3.4sg_3.4.2sg
cisco ios_xe 3.3xo_3.3.2xo
cisco ios_xe 3.4sg_3.4.4sg
cisco ios_xe 3.7e_3.7.2e
cisco ios_xe 3.4sg_3.4.7sg
cisco ios_xe 3.7e_3.7.1e
cisco ios_xe 3.12s_3.12.1s
cisco ios_xe 3.11s_3.11.4s
cisco ios_xe 3.10s_3.10.4s
sun opensolaris snv_124
cisco ios_xe 3.6e_3.6.0e
cisco ios_xe 3.9s_3.9.0s
cisco ios_xe 3.5s_3.5.2s
cisco ios_xe 3.12s_3.12.2s
cisco ios_xe 3.10s_3.10.0s
samsung x14j_firmware t-ms14jakucb-1102.5
cisco ios_xe 3.3sg_3.3.2sg
CVE-2016-1346 HIGH

The kernel in Cisco TelePresence Server 3.0 through 4.2(4.18) on Mobility Services Engine (MSE) 8710 devices allows remote attackers to cause a denial of service (panic and reboot) via a crafted sequence of IPv6 packets, aka Bug ID CSCuu46673.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
netgear jr6150_firmware *
dell emc_powerscale_onefs 8.2.2
zyxel gs1900-10hp_firmware *
samsung x14j_firmware t-ms14jakucb-1102.5
zzinc keymouse_firmware 3.08
CVE-2016-1348 HIGH

Cisco IOS 15.0 through 15.5 and IOS XE 3.3 through 3.16 allow remote attackers to cause a denial of service (device reload) via a crafted DHCPv6 Relay message, aka Bug ID CSCus55821.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
cisco ios_xe 3.9s_3.9.2s
cisco ios_xe 3.14s_3.14.3s
cisco ios_xe 3.8s_3.8.2s
cisco ios_xe 3.5e_3.5.2e
cisco ios_xe 3.15s_3.15.0s
zyxel gs1900-10hp_firmware *
cisco ios_xe 3.6e_3.6.2e
cisco ios_xe 3.3xo_3.3.1xo
cisco ios_xe 3.7s_3.7.2s
cisco ios_xe 3.7s_3.7.0s
cisco ios_xe 3.6s_3.6.0s
zzinc keymouse_firmware 3.08
cisco ios_xe 3.9s_3.9.1s
cisco ios_xe 3.11s_3.11.1s
cisco ios_xe 3.7s_3.7.4as
cisco ios_xe 3.6e_3.6.3e
cisco ios_xe 3.14s_3.14.1s
cisco ios_xe 3.16s_3.16.0s
cisco ios_xe 3.16s_3.16.1as
cisco ios_xe 3.10s_3.10.6s
cisco ios_xe 3.7s_3.7.2ts
netgear jr6150_firmware *
cisco ios_xe 3.5e_3.5.0e
cisco ios_xe 3.7s_3.7.4s
cisco ios_xe 3.15s_3.15.1s
cisco ios_xe 3.7s_3.7.3s
cisco ios_xe 3.15s_3.15.1cs
cisco ios_xe 3.11s_3.11.2s
cisco ios_xe 3.14s_3.14.2s
cisco ios_xe 3.13s_3.13.0as
cisco ios_xe 3.13s_3.13.2s
cisco ios_xe 3.10s_3.10.1xbs
cisco ios_xe 3.15s_3.15.2s
cisco ios_xe 3.3xo_3.3.0xo
cisco ios_xe 3.7s_3.7.1s
cisco ios_xe 3.6e_3.6.1e
cisco ios_xe 3.6s_3.6.2s
cisco ios_xe 3.7e_3.7.0e
cisco ios_xe 3.8s_3.8.1s
cisco ios_xe 3.12s_3.12.4s
cisco ios_xe 3.12s_3.12.0s
cisco ios_xe 3.7s_3.7.6s
cisco ios_xe 3.6e_3.6.2ae
cisco ios_xe 3.8s_3.8.0s
cisco ios_xe 3.13s_3.13.0s
cisco ios_xe 3.14s_3.14.0s
cisco ios_xe 3.9s_3.9.1as
cisco ios_xe 3.8e_3.8.0e
cisco ios_xe 3.10s_3.10.3s
cisco ios_xe 3.5e_3.5.1e
cisco ios_xe 3.11s_3.11.3s
cisco ios_xe 3.9s_3.9.0as
cisco ios_xe 3.7s_3.7.7s
cisco ios_xe 3.13s_3.13.3s
cisco ios_xe 3.10s_3.10.5s
cisco ios_xe 3.5s_3.5.1s
cisco ios_xe 3.10s_3.10.1s
cisco ios_xe 3.5e_3.5.3e
cisco ios_xe 3.13s_3.13.1s
cisco ios_xe 3.11s_3.11.0s
cisco ios_xe 3.16s_3.16.1s
cisco ios_xe 3.7s_3.7.5s
cisco ios_xe 3.3xo_3.3.2xo
cisco ios_xe 3.6s_3.6.1s
cisco ios_xe 3.16s_3.16.0cs
cisco ios_xe 3.7e_3.7.2e
cisco ios_xe 3.7e_3.7.1e
cisco ios_xe 3.12s_3.12.1s
cisco ios_xe 3.11s_3.11.4s
cisco ios_xe 3.10s_3.10.4s
sun opensolaris snv_124
cisco ios_xe 3.13s_3.13.4s
cisco ios_xe 3.6e_3.6.0e
cisco ios_xe 3.12s_3.12.3s
cisco ios_xe 3.9s_3.9.0s
cisco ios_xe 3.5s_3.5.2s
cisco ios_xe 3.13s_3.13.2as
cisco ios_xe 3.12s_3.12.2s
cisco ios_xe 3.10s_3.10.2s
cisco ios_xe 3.10s_3.10.0s
cisco ios_xe 3.5s_3.5.0s
samsung x14j_firmware t-ms14jakucb-1102.5
CVE-2016-1349 HIGH

The Smart Install client implementation in Cisco IOS 12.2, 15.0, and 15.2 and IOS XE 3.2 through 3.7 allows remote attackers to cause a denial of service (device reload) via crafted image list parameters in a Smart Install packet, aka Bug ID CSCuv45410.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
cisco ios_xe 3.5e_3.5.2e
cisco ios_xe 3.4sg_3.4.6sg
cisco ios_xe 3.3se_3.3.0se
zyxel gs1900-10hp_firmware *
cisco ios_xe 3.5e_3.5.1e
cisco ios_xe 3.6e_3.6.2e
cisco ios_xe 3.3xo_3.3.1xo
zzinc keymouse_firmware 3.08
cisco ios_xe 3.4sg_3.4.5sg
cisco ios_xe 3.5e_3.5.3e
cisco ios_xe 3.2se_3.2.1se
cisco ios_xe 3.4sg_3.4.3sg
cisco ios_xe 3.4sg_3.4.2sg
netgear jr6150_firmware *
cisco ios_xe 3.5e_3.5.0e
cisco ios_xe 3.2ja_3.2.0ja
cisco ios_xe 3.3se_3.3.4se
cisco ios_xe 3.3xo_3.3.2xo
intel core_i5-9400f_firmware -
cisco ios_xe 3.4sg_3.4.4sg
cisco ios_xe 3.7e_3.7.2e
cisco ios_xe 3.3se_3.3.1se
cisco ios_xe 3.3se_3.3.5se
cisco ios_xe 3.3se_3.3.3se
cisco ios_xe 3.3xo_3.3.0xo
cisco ios_xe 3.4sg_3.4.0sg
cisco ios_xe 3.7e_3.7.1e
sun opensolaris snv_124
cisco ios_xe 3.6e_3.6.0e
cisco ios_xe 3.4sg_3.4.1sg
cisco ios_xe 3.6e_3.6.1e
cisco ios_xe 3.7e_3.7.0e
cisco ios_xe 3.2se_3.2.2se
cisco ios_xe 3.2se_3.2.3se
samsung x14j_firmware t-ms14jakucb-1102.5
cisco ios_xe 3.6e_3.6.2ae
cisco ios_xe 3.2se_3.2.0se
cisco ios_xe 3.3se_3.3.2se
CVE-2016-1350 HIGH

Cisco IOS 15.3 and 15.4, Cisco IOS XE 3.8 through 3.11, and Cisco Unified Communications Manager allow remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCuj23293.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-399,

Products Affected

Vendor Product Version
cisco ios_xe 3.10.1s
cisco ios_xe 3.9.1s
cisco ios_xe 3.11.0s
zyxel gs1900-10hp_firmware *
cisco ios_xe 3.10.2s
cisco ios_xe 3.9.0s
zzinc keymouse_firmware 3.08
cisco ios_xe 3.10.1xbs
sun opensolaris snv_124
cisco ios_xe 3.9.2s
cisco ios_xe 3.10.0s
lenovo thinkcentre_e75s_firmware *
cisco ios_xe 3.9.1as
cisco ios_xe 3.8.1s
cisco ios_xe 3.8.2s
samsung x14j_firmware t-ms14jakucb-1102.5
cisco ios_xe 3.9.0as
cisco ios_xe 3.8.0s
CVE-2017-15226 HIGH

Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the ozkerz component because beginIndex and endIndex are used directly in a popen call.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel nbg6716_firmware 1.00(aakg.9)c0
CVE-2017-17550 MEDIUM

ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account's access could, for example, subsequently be used for stored XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel zywall_usg_100_firmware 3.30(aqq.7)
zyxel zywall_usg_100_firmware 2.12(aqq.2)
CVE-2017-17901 HIGH

ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
zyxel p-660hw_firmware -
CVE-2017-18368 HIGH

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel p660hn-t1a_v1_firmware 7.3.15.0
zyxel p660hn-t1a_v2_firmware 7.3.15.0
billion 5200w-t_firmware 7.3.8.0
CVE-2017-18370 HIGH

The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel p660hn-t1a_v2_firmware 7.3.37.6
zyxel p660hn-t1a_v1_firmware 7.3.37.6
billion 5200w-t_firmware 7.3.8.0
CVE-2017-18371 HIGH

The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username supervisor and password zyad1234. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel p660hn-t1a_v2_firmware 7.3.37.6
zyxel p660hn-t1a_v1_firmware 7.3.37.6
billion 5200w-t_firmware 7.3.8.0
CVE-2017-18372 HIGH

The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has a command injection vulnerability in the Time Setting function, which is only accessible by an authenticated user. The vulnerability is in the tools_time.asp page and can be exploited through the uiViewSNTPServer parameter. Authentication can be achieved by exploiting CVE-2017-18373.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel p660hn-t1a_v1_firmware 7.3.15.0
zyxel p660hn-t1a_v2_firmware 7.3.15.0
billion 5200w-t_firmware 7.3.8.0
CVE-2017-18374 HIGH

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has two user accounts with default passwords, including a hardcoded service account with the username true and password true. These accounts can be used to login to the web interface, exploit authenticated command injections and change router settings for malicious purposes.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel p660hn-t1a_v1_firmware 7.3.15.0
zyxel p660hn-t1a_v2_firmware 7.3.15.0
billion 5200w-t_firmware 7.3.8.0
CVE-2017-3216 HIGH

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to gain administrator access to the device by performing an administrator password change on the device via a crafted POST request.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
zyxel max218mw_firmware -
greenpacket ox350_firmware -
huawei hes-339m_firmware -
mada soho_wireless_router_firmware -
huawei hes-319m_firmware -
zte ox-330p_firmware -
zyxel max218m_firmware -
huawei hes-309m_firmware -
zyxel max338m_firmware -
zyxel max318m_firmware -
huawei hes-319m2w_firmware -
huawei bm2022_firmware -
zyxel max308m_fimware -
zyxel max218m1w_firmware -
CVE-2017-6884 HIGH

A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel emg2926_firmware v1.00(aaqt.4)b8
CVE-2017-7964 HIGH

Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
zyxel wre6505_firmware *
CVE-2018-1164 HIGH

This vulnerability allows remote attackers to cause a denial-of-service condition on vulnerable installations of ZyXEL P-870H-51 DSL Router 1.00(AWG.3)D5. Authentication is not required to exploit this vulnerability. The specific flaw exists within numerous exposed CGI endpoints. The vulnerability is caused by improper access controls that allow access to critical functions without authentication. An attacker can use this vulnerability to reboot affected devices, along with other actions. Was ZDI-CAN-4540.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-732,

Products Affected

Vendor Product Version
zyxel p-870h-51_firmware 1.00(awg.3)d5
CVE-2018-14892 MEDIUM

Missing protections against Cross-Site Request Forgery in the web application in ZyXEL NSA325 V2 version 4.81 allow attackers to perform state-changing actions via crafted HTTP forms.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel nsa325_v2_firmware 4.81
CVE-2018-14893 HIGH

A system command injection vulnerability in zyshclient in ZyXEL NSA325 V2 version 4.81 allows attackers to execute system commands via the web application API.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,CWE-78,

Products Affected

Vendor Product Version
zyxel nsa325_v2_firmware 4.81
CVE-2018-15602 MEDIUM

Zyxel VMG3312 B10B devices are affected by a persistent XSS vulnerability via the pages/connectionStatus/connectionStatus-hostEntry.cmd hostname parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel vmg3312_b10b_firmware -
CVE-2018-18754 MEDIUM

ZyXEL VMG3312-B10B 1.00(AAPP.7) devices have a backdoor root account with the tTn3+Z@!Sr0O+ password hash in the etc/default.cfg file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
zyxel vmg3312-b10b_firmware 1.00(aapp.7)
CVE-2018-19326 MEDIUM

Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zyxel vmg1312-b10d_firmware *
CVE-2018-5330 HIGH

ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zyxel p-660hw_v3_firmware -
CVE-2018-9129 MEDIUM

ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zyxel zywall_110_firmware -
zyxel usg_60_firmware -
zyxel zywall_vpn_100_firmware -
zyxel usg_310_firmware -
zyxel usg_20w-vpn_firmware -
zyxel zywall_1100_firmware -
zyxel zywall_vpn_300_firmware -
zyxel usg_20w_firmware -
zyxel usg_40w_firmware -
zyxel usg_2200-vpn_firmware -
zyxel usg_60w_firmware -
zyxel usg_1100_firmware -
zyxel zywall_vpn_50_firmware -
zyxel usg_1900_firmware -
zyxel zywall_310_firmware -
zyxel usg_40_firmware -
zyxel usg_110_firmware -
CVE-2018-9149 HIGH

The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a suitable mechanism to protect the UART. After an attacker dismantles the device and uses a USB-to-UART cable to connect the device, he can use the 1234 password for the root account to login to the system. Furthermore, an attacker can start the device's TELNET service as a backdoor.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel ac3000_firmware -
CVE-2019-10630 MEDIUM

A plaintext password vulnerability in the Zyxel NAS 326 through 5.21 allows an elevated privileged user to get the admin password of the device.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
zyxel nas326_firmware *
CVE-2019-10631 MEDIUM

Shell Metacharacter Injection in the package installer on Zyxel NAS 326 version 5.21 and below allows an authenticated attacker to execute arbitrary code via multiple different requests.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel nas326_firmware *
CVE-2019-10632 MEDIUM

A directory traversal vulnerability in the file browser component on the Zyxel NAS 326 version 5.21 and below allows a lower privileged user to change the location of any other user's files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zyxel nas326_firmware *
CVE-2019-10633 MEDIUM

An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to execute arbitrary code via the tjp6jp6y4, simZysh, and ck6fup6 APIs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
zyxel nas326_firmware *
CVE-2019-10634 LOW

An XSS vulnerability in the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to inject arbitrary JavaScript or HTML via the user, group, and file-share description fields.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel nas326_firmware *
CVE-2019-12581 MEDIUM

A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel uag4100_firmware *
zyxel usg1900_firmware *
zyxel usg210_firmware *
zyxel uag2100_firmware *
zyxel usg2200-vpn_firmware *
zyxel uag5100_firmware *
zyxel usg110_firmware *
zyxel usg310_firmware *
zyxel usg1100_firmware *
CVE-2019-12583 MEDIUM

Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-425,

Products Affected

Vendor Product Version
zyxel uag4100_firmware *
zyxel usg1900_firmware *
zyxel uag2100_firmware *
zyxel usg2200-vpn_firmware *
zyxel usg110_firmware *
zyxel zywall_110_firmware *
zyxel usg310_firmware *
zyxel zywall_vpn100_firmware *
zyxel zywall_vpn300_firmware *
zyxel zywall_310_firmware *
zyxel zywall_1100_firmware *
zyxel usg210_firmware *
zyxel uag5100_firmware *
zyxel usg1100_firmware *
CVE-2019-13495 LOW

In firmware version 4.50 of Zyxel XGS2210-52HP, multiple stored cross-site scripting (XSS) issues allows remote authenticated users to inject arbitrary web script via an rpSys.html Name or Location field.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel xgs2210-52hp_firmware 4.50
CVE-2019-15799 HIGH

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. User accounts created through the web interface of the device, when given non-admin level privileges, have the same level of privileged access as administrators when connecting to the device via SSH (while their permissions via the web interface are in fact restricted). This allows normal users to obtain the administrative password by running the tech-support command via the CLI: this contains the encrypted passwords for all users on the device. As these passwords are encrypted using well-known and static parameters, they can be decrypted and the original passwords (including the administrator password) can be obtained.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48_firmware *
CVE-2019-15800 HIGH

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Due to lack of input validation in the cmd_sys_traceroute_exec(), cmd_sys_arp_clear(), and cmd_sys_ping_exec() functions in the libclicmd.so library contained in the firmware, an attacker could leverage these functions to call system() and execute arbitrary commands on the switches. (Note that these functions are currently not called in this version of the firmware, however an attacker could use other vulnerabilities to finally use these vulnerabilities to gain code execution.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48_firmware *
CVE-2019-15801 MEDIUM

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware image contains encrypted passwords that are used to authenticate users wishing to access a diagnostics or password-recovery menu. Using the hardcoded cryptographic key found elsewhere in the firmware, these passwords can be decrypted. This is related to fds_sys_passDebugPasswd_ret() and fds_sys_passRecoveryPasswd_ret() in libfds.so.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48_firmware *
CVE-2019-15802 MEDIUM

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. The firmware hashes and encrypts passwords using a hardcoded cryptographic key in sal_util_str_encrypt() in libsal.so.0.0. The parameters (salt, IV, and key data) are used to encrypt and decrypt all passwords using AES256 in CBC mode. With the parameters known, all previously encrypted passwords can be decrypted. This includes the passwords that are part of configuration backups or otherwise embedded as part of the firmware.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48_firmware *
CVE-2019-15803 MEDIUM

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. Through an undocumented sequence of keypresses, undocumented functionality is triggered. A diagnostics shell is triggered via CTRL-ALT-t, which prompts for the password returned by fds_sys_passDebugPasswd_ret(). The firmware contains access control checks that determine if remote users are allowed to access this functionality. The function that performs this check (fds_sys_remoteDebugEnable_ret in libfds.so) always return TRUE with no actual checks performed. The diagnostics menu allows for reading/writing arbitrary registers and various other configuration parameters which are believed to be related to the network interface chips.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48_firmware *
CVE-2019-15804 MEDIUM

An issue was discovered on Zyxel GS1900 devices with firmware before 2.50(AAHH.0)C0. By sending a signal to the CLI process, undocumented functionality is triggered. Specifically, a menu can be triggered by sending the SIGQUIT signal to the CLI application (e.g., through CTRL+\ via SSH). The access control check for this menu does work and prohibits accessing the menu, which contains "Password recovery for specific user" options. The menu is believed to be accessible using a serial console.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48_firmware *
CVE-2019-15815 MEDIUM

ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
zyxel 2.00(abbx.3) -
CVE-2019-17354 HIGH

wan.htm page on Zyxel NBG-418N v2 with firmware version V1.00(AARP.9)C0 can be accessed directly without authentication, which can lead to disclosure of information about the WAN, and can also be leveraged by an attacker to modify data fields of the page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 3.9 5.5

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zyxel nbg-418n_v2_firmware 1.00(aarp.9)c0
CVE-2019-6710 MEDIUM

Zyxel NBG-418N v2 v1.00(AAXM.4)C0 devices allow login.cgi CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware 1.00(aaxm.6)c0
CVE-2019-6725 HIGH

The rpWLANRedirect.asp ASP page is accessible without authentication on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the page, the admin user's password can be obtained by viewing the HTML source code, and the interface of the modem can be accessed as admin.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel p-660hn-t1_firmware 2.00(aakk.3)
CVE-2019-7391 MEDIUM

ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
zyxel dsl-491hnu-b1b_v2_firmware -
zyxel dsl-491hnu-b10b_firmware -
CVE-2019-9955 MEDIUM

On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel atp500_firmware 4.31
zyxel zywall_110_firmware 4.31
zyxel usg310_firmware 4.31
zyxel zywall_310_firmware 4.31
zyxel usg1100_firmware 4.31
zyxel atp200_firmware 4.31
zyxel usg1900_firmware 4.31
zyxel usg20-vpn_firmware 4.31
zyxel usg60_firmware 4.31
zyxel usg40_firmware 4.31
zyxel zywall_1100_firmware 4.31
zyxel vpn50_firmware -
zyxel vpn300_firmware -
zyxel vpn100_firmware -
zyxel atp800_firmware 4.31
zyxel usg60w_firmware 4.31
zyxel usg40w_firmware 4.31
zyxel usg20w-vpn_firmware 4.31
zyxel usg110_firmware 4.31
zyxel usg2200-vpn_firmware 4.31
zyxel usg210_firmware 4.31
CVE-2020-12695 HIGH

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:H 2.2 4.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-276,

Products Affected

Vendor Product Version
hp envy_110_cq809d -
epson xp-960 -
ui unifi_controller -
hp envy_5535 -
hp envy_4508_e6g72b -
hp envy_5665_f8b06a -
hp envy_7645_e4w44a -
epson xp-702 -
hp deskjet_ink_advantage_4535_f0v64a -
hp envy_photo_7800_k7s00a -
hp hp_officejet_4652_f1j05b -
hp envy_110_cq809c -
epson xp-2101 -
hp envy_4522_f0v67a -
hp envy_5531 -
hp envy_photo_7800_k7r96a -
hp deskjet_ink_advantage_3545_a9t81a -
hp envy_4524_f0v71b -
hp hp_deskjet_ink_advantage_4535_f0v64c -
canon selphy_cp1200 -
hp envy_100_cn517a -
hp envy_5540_k7c85a -
huawei hg532e -
hp hp_deskjet_ink_advantage_4675_f1h97c -
hp envy_110_cq809a -
hp envy_4503_e6g71b -
hp hp_envy_4513_k9h51a -
hp officejet_4658_v6d30b -
hp envy_4500_a9t80a -
hp envy_5642_b9s64a -
hp hp_envy_4511_k9h50a -
hp envy_5640_b9s56a -
epson m571t -
hp envy_120_cz022c -
canonical ubuntu_linux 20.04
hp envy_4502_a9t87b -
broadcom adsl -
epson xp-4100 -
hp envy_6540_b9s59a -
hp hp_officejet_4655_k9v82b -
hp officejet_4650_f1h96a -
hp 5020_z4a69a -
hp envy_4507_e6g70b -
hp envy_5643_b9s63a -
hp hp_officejet_4652_k9v84b -
hp envy_photo_6200_y0k13d_ -
hp deskjet_ink_advantage_4535_f0v64c -
hp envy_4528_k9t08b -
hp hp_officejet_4655_f1j00a -
hp officejet_4650_f1h96b -
hp officejet_4656_k9v81b -
hp envy_5646_f8b05a -
hp deskjet_ink_advantage_3548_a9t81b -
hp envy_4523_j6u60b -
hp envy_6020_5se17a -
hp envy_114_cq811b -
hp envy_5000_m2u91a *
hp hp_officejet_4655_k9v79a -
hp 5030_z4a70a -
hp hp_envy_4524_f0v71b -
hp envy_4524_k9t01a -
epson xp-320 -
hp envy_photo_6200_k7s21b -
hp hp_officejet_4654_f1j06b -
hp envy_4504_a9t88b -
hp envy_6020_7cz37a -
hp envy_5000_m2u94b -
ruckussecurity zonedirector_1200 -
hp hp_envy_4523_j6u60b -
hp officejet_4654_f1j06b -
hp envy_110_cq809b -
hp envy_photo_6200_k7g18a -
hp hp_deskjet_ink_advantage_4538_f0v66b -
hp envy_5000_m2u85a -
hp envy_4525_k9t09b -
hp envy_photo_6230_k7g25b -
hp envy_7644_e4w46a -
huawei hg255s -
hp envy_5536 -
hp envy_114_cq811a -
hp envy_114_cq812a -
hp envy_photo_6252_k7g22a -
hp envy_4500_d3p93a -
debian debian_linux 9.0
hp envy_photo_7100_k7g93a -
hp envy_7640 -
hp envy_5540_f2e72a -
microsoft xbox_one 10.0.19041.2494
hp envy_photo_7800_k7s10d -
debian debian_linux 10.0
hp officejet_4652_k9v84b -
hp hp_deskjet_ink_advantage_4675_f1h97a -
hp 5030_m2u92b -
hp officejet_4655_k9v79a -
hp deskjet_ink_advantage_4675_f1h97c -
hp envy_pro_6420_6wd14a -
hp envy_120_cz022a -
fedoraproject fedora 32
hp envy_photo_6232_k7g26b -
hp envy_5547_j6u64a -
hp deskjet_ink_advantage_5575_g0v48b -
hp envy_pro_6420_5se46a -
hp deskjet_ink_advantage_4535_f0v64b -
hp envy_100_cn518a -
hp envy_4500_a9t80b -
epson xp-330 -
hp envy_photo_6220_k7g20d -
zte zxv10_w300 -
hp deskjet_ink_advantage_4676_f1h98a -
hp envy_5530 -
hp officejet_4652_f1j02a -
hp hp_envy_4516_k9h52a -
hp envy_5532 -
hp envy_photo_7100_k7g99a -
epson xp-241 -
hp deskjet_ink_advantage_4515 -
hp envy_5543_n9u88a -
hp officejet_4652_f1j05b -
hp envy_5544_k7c93a -
hp hp_envy_4525_k9t09b -
hp envy_100_cn517b -
hp envy_photo_7120_z3m41d -
hp hp_envy_4512_k9h49a -
hp hp_deskjet_ink_advantage_4676_f1h98a -
asus rt-n11 -
hp envy_4520_e6g67b -
dell b1165nfw -
hp hp_officejet_4650_e6g87a -
hp envy_4520_e6g67a -
hp envy_photo_6234_k7s21b -
hp envy_5541_k7g89a -
hp hp_officejet_4650_f1h96a -
hp hp_envy_4521_k9t10b -
epson xp-2105 -
epson xp-4105 -
hp envy_100_cn517c -
hp envy_4513_k9h51a -
hp deskjet_ink_advantage_4518 -
dlink dvg-n5412sp -
hp hp_envy_4520_e6g67a -
hp officejet_4655_k9v82b -
hp envy_photo_6222_y0k13d -
hp envy_4511_k9h50a -
hp envy_photo_7100_3xd89a -
microsoft windows_10 -
hp envy_100_cn519b -
hp officejet_4654_f1j07b -
hp hp_envy_4524_k9t01a -
tp-link archer_c50 -
hp hp_envy_4520_e6g67b -
hp envy_4520_f0v63b -
hp deskjet_ink_advantage_3545_a9t81c -
cisco wap351 -
nec wr8165n -
hp envy_5540_g0v47a -
hp envy_4520_f0v69a -
zyxel amg1202-t10b -
epson ew-m970a3t -
hp envy_4501_c8d05a -
hp envy_5000_m2u85b -
hp hp_envy_4526_k9t05b -
hp hp_envy_4527_j6u61b -
hp hp_envy_4520_f0v63b -
hp hp_officejet_4650_f1h96b -
hp hp_officejet_4654_f1j07b -
hp envy_5000_z4a74a -
hp envy_6052_5se18a -
hp hp_deskjet_ink_advantage_4536_f0v65a -
hp deskjet_ink_advantage_4678_f1h99b -
hp envy_110_cq812c -
hp envy_120_cz022b -
cisco wap150 -
hp officejet_4650_e6g87a -
epson xp-340 -
hp envy_5000_z4a54a -
hp hp_officejet_4652_f1j02a -
hp envy_5534 -
cisco wap131 -
hp deskjet_ink_advantage_3545_a9t83b -
hp deskjet_ink_advantage_4675_f1h97a -
hp envy_5640_b9s58a -
hp hp_envy_4524_f0v72b -
hp officejet_4655_f1j00a -
hp envy_5664_f8b08a -
hp 5034_z4a74a -
epson xp-100 -
hp envy_4527_j6u61b -
w1.fi hostapd *
hp deskjet_ink_advantage_3546_a9t82a -
hp envy_6020_6wd35a -
hp hp_envy_4520_f0v69a -
hp envy_4520_f0v63a -
hp hp_officejet_4657_v6d29b -
epson xp-970 -
hp envy_photo_6220_k7g21b -
hp envy_4521_k9t10b -
hp envy_photo_6222_y0k14d -
hp deskjet_ink_advantage_4536_f0v65a -
hp envy_photo_7100_z3m52a -
hp envy_4500_a9t89a -
hp envy_5542_k7c88a -
hp envy_photo_7164_k7g99a -
hp envy_6020_5se16b -
hp envy_4516_k9h52a -
hp envy_111_cq810a -
hp envy_photo_7830_y0g50b -
hp envy_4526_k9t05b -
hp envy_pro_6420_6wd16a -
netgear wnhde111 -
hp envy_4504_c8d04a -
hp envy_5644_b9s65a -
hp envy_photo_7822_y0g43d -
hp envy_5020_m2u91b -
hp envy_photo_6200_y0k15a -
hp envy_5548_k7g87a -
hp hp_deskjet_ink_advantage_4535_f0v64a -
hp deskjet_ink_advantage_5575_g0v48c -
hp hp_officejet_4656_k9v81b -
hp envy_5540_g0v53a -
hp envy_5545_g0v50a -
epson xp-8600 -
epson xp-440 -
hp envy_5540_g0v52a -
hp envy_photo_7100_z3m37a -
hp hp_deskjet_ink_advantage_4675_f1h97b -
hp envy_photo_7800_y0g42d -
hp envy_5539 -
epson xp-630 -
hp hp_envy_4522_f0v67a -
hp deskjet_ink_advantage_3456_a9t84c -
hp envy_4505_a9t86a -
hp hp_envy_4528_k9t08b -
epson xp-8500 -
hp hp_deskjet_ink_advantage_4535_f0v64b -
hp envy_4509_d3p94b -
hp envy_6055_5se16a -
hp envy_photo_7155_z3m52a -
zyxel vmg8324-b10a -
hp officejet_4657_v6d29b -
hp envy_4512_k9h49a -
hp envy_4524_f0v72b -
hp envy_photo_6200_k7g26b -
hp envy_5544_k7c89a -
hp envy_4502_a9t85a -
hp envy_pro_6452_5se47a -
hp envy_5546_k7c90a -
hp envy_photo_7800_y0g52b -
fedoraproject fedora 31
hp hp_deskjet_ink_advantage_4678_f1h99b -
hp deskjet_ink_advantage_4675_f1h97b -
hp envy_pro_6420_5se45b -
hp envy_5000_m2u91a -
epson ep-101 -
hp envy_100_cn519a -
hp envy_photo_7822_y0g42d -
epson xp-620 -
hp hp_officejet_4658_v6d30b -
hp 5660_f8b04a -
hp envy_pro_6455_5se45a -
hp hp_envy_4520_f0v63a -
hp envy_4509_d3p94a -
hp deskjet_ink_advantage_4538_f0v66b -
hp envy_5540_g0v51a -
CVE-2020-13364 HIGH

A backdoor in certain Zyxel products allows remote TELNET access via a CGI script. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas540_firmware *
zyxel nas326_firmware *
zyxel nas520_firmware *
CVE-2020-13365 HIGH

Certain Zyxel products have a locally accessible binary that allows a non-root user to generate a password for an undocumented user account that can be used for a TELNET session as root. This affects NAS520 V5.21(AASZ.4)C0, V5.21(AASZ.0)C0, V5.11(AASZ.3)C0, and V5.11(AASZ.0)C0; NAS542 V5.11(ABAG.0)C0, V5.20(ABAG.1)C0, and V5.21(ABAG.3)C0; NSA325 v2_V4.81(AALS.0)C0 and V4.81(AAAJ.1)C0; NSA310 4.22(AFK.0)C0 and 4.22(AFK.1)C0; NAS326 V5.21(AAZF.8)C0, V5.11(AAZF.4)C0, V5.11(AAZF.2)C0, and V5.11(AAZF.3)C0; NSA310S V4.75(AALH.2)C0; NSA320S V4.75(AANV.2)C0 and V4.75(AANV.1)C0; NSA221 V4.41(AFM.1)C0; and NAS540 V5.21(AATB.5)C0 and V5.21(AATB.3)C0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas540_firmware *
zyxel nas326_firmware *
zyxel nas520_firmware *
CVE-2020-14461 MEDIUM

Zyxel Armor X1 WAP6806 1.00(ABAL.6)C0 devices allow Directory Traversal via the images/eaZy/ URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
zyxel wap6806_firmware 1.00(abal.6)c0
CVE-2020-15312 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15313 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15314 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15315 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account within the /opt/axess chroot directory tree.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15316 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH key for the root account within the /opt/axess chroot directory tree.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15317 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account within the /opt/axess chroot directory tree.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15318 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key for the root account within the /opt/mysql chroot directory tree.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15319 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key for the root account within the /opt/mysql chroot directory tree.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15320 HIGH

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axiros password for the root account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15321 HIGH

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axzyxel password for the livedbuser account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15322 HIGH

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the wbboEZ4BN3ssxAfM hardcoded password for the debian-sys-maint account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15323 HIGH

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the cloud1234 password for the a1@chopin account default credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15324 HIGH

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a world-readable axess/opt/axXMPPHandler/config/xmpp_config.py file that stores hardcoded credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
zyxel cloud_cnm_secumanager 3.1.1
zyxel cloud_cnm_secumanager 3.1.0
CVE-2020-15325

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cookie for ejabberd replication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15326

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded certificate for Ejabberd in ejabberd.pem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15327

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 uses ZODB storage without authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15328

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/var/blobstorage/ permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15329

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak Data.fs permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15330

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15331

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded OAUTH_SECRET_KEY in /opt/axess/etc/default/axess.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15332

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15333

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows attackers to discover accounts via MySQL "select * from Administrator_users" and "select * from Users_users" requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15334

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows escape-sequence injection into the /var/log/axxmpp.log file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15335 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /registerCpe requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15336 MEDIUM

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has no authentication for /cnr requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15337

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request Method With Sensitive Query Strings" issue for /registerCpe requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15338

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a "Use of GET Request Method With Sensitive Query Strings" issue for /cnr requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15339

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows live/CPEManager/AXCampaignManager/handle_campaign_script_link?script_name= XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15340

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded opt/axess/AXAssets/default_axess/axess/TR69/Handlers/turbolink/sshkeys/id_rsa SSH key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15341

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated update_all_realm_license API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15342

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15343

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_install_user_key API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15344

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_user_id_and_key API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15345

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has an unauthenticated zy_get_instances_for_update API.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15346

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a /live/GLOBALS API with the CLOUDCNM key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15347

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the q6xV4aW8bQ4cfD-b password for the axiros account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel cloudcnm_secumanager 3.1.0
zyxel cloudcnm_secumanager 3.1.1
CVE-2020-15348 HIGH

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 allows use of live/CPEManager/AXCampaignManager/delete_cpes_by_ids?cpe_ids= for eval injection of Python code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
zyxel cloud_cnm_secumanager 3.1.1
zyxel cloud_cnm_secumanager 3.1.0
CVE-2020-20183 MEDIUM

Insecure direct object reference vulnerability in Zyxel’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
zyxel p1302-t10_v3_firmware 2.00
CVE-2020-24354 MEDIUM

Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by shell injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zyxel vmg5313-b30b_firmware *
CVE-2020-24355 HIGH

Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing "FirstIndex" field in JSON that is POST-ed during account creation. Similar may also be possible with account deletion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zyxel vmg5313-b30b_firmware *
CVE-2020-25014 HIGH

A stack-based buffer overflow in fbwifi_continue.cgi on Zyxel UTM and VPN series of gateways running firmware version V4.30 through to V4.55 allows remote unauthenticated attackers to execute arbitrary code via a crafted http packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
zyxel access_points_firmware *
zyxel access_points_firmware 6.10
zyxel access_points_firmware -
zyxel zld *
zyxel zld_firmware *
CVE-2020-28899 MEDIUM

The Web CGI Script on ZyXEL LTE4506-M606 V1.00(ABDO.2)C0 devices does not require authentication, which allows remote unauthenticated attackers (via crafted JSON action data to /cgi-bin/gui.cgi) to use all features provided by the router. Examples: change the router password, retrieve the Wi-Fi passphrase, send an SMS message, or modify the IP forwarding to access the internal network.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
zyxel lte4506-m606_firmware *
zyxel wah7706_firmware *
zyxel lte7460-m608_firmware *
CVE-2020-29299 HIGH

Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD V4.39 week38, USG FLEX before ZLD V4.55 week38, ATP before ZLD V4.55 week38, and NSG before 1.33 patch 4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
zyxel zld *
zyxel vpn_orchestrator *
zyxel usg_flex_firmware -
zyxel nsg_firmware 1.33
zyxel nsg_firmware *
CVE-2020-29583 HIGH

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-522,CWE-522,

Products Affected

Vendor Product Version
zyxel usg40w_firmware 4.60
zyxel atp800_firmware 4.60
zyxel zywall110_firmware 4.60
zyxel vpn1000_firmware 4.60
zyxel usg_flex_700_firmware 4.60
zyxel vpn300_firmware 4.60
zyxel usg20w-vpn_firmware 4.60
zyxel usg210_firmware 4.60
zyxel usg20-vpn_firmware 4.60
zyxel zywall1100_firmware 4.60
zyxel usg60_firmware 4.60
zyxel usg2200_firmware 4.60
zyxel usg_flex_100w_firmware 4.60
zyxel atp100w_firmware 4.60
zyxel atp100_firmware 4.60
zyxel usg_flex_100_firmware 4.60
zyxel zywall310_firmware 4.60
zyxel atp200_firmware 4.60
zyxel usg1100_firmware 4.60
zyxel vpn50_firmware 4.60
zyxel atp700_firmware 4.60
zyxel usg_flex_200_firmware 4.60
zyxel usg110_firmware 4.60
zyxel usg1900_firmware 4.60
zyxel usg60w_firmware 4.60
zyxel usg40_firmware 4.60
zyxel vpn100_firmware 4.60
zyxel usg_flex_500_firmware 4.60
zyxel atp500_firmware 4.60
zyxel usg310_firmware 4.60
CVE-2020-9054 HIGH

Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel usg1900_firmware *
zyxel nas542_firmware *
zyxel usg60w_firmware *
zyxel usg40w_firmware *
zyxel usg20w-vpn_firmware *
zyxel vpn300_firmware *
zyxel zywall110_firmware *
zyxel usg2200_firmware *
zyxel nas540_firmware *
zyxel atp500_firmware *
zyxel zywall310_firmware *
zyxel usg60_firmware *
zyxel zywall1100_firmware *
zyxel usg40_firmware *
zyxel atp100_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel usg110_firmware *
zyxel usg310_firmware *
zyxel usg20-vpn_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel usg210_firmware *
zyxel vpn100_firmware *
zyxel nas326_firmware *
zyxel nas520_firmware *
zyxel usg1100_firmware *
CVE-2021-3297 HIGH

On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,

Products Affected

Vendor Product Version
zyxel nbg2105_firmware v1.00(aagu.2)c0
CVE-2021-35027 MEDIUM

A directory traversal vulnerability in the web server of the Zyxel VPN2S firmware version 1.12 could allow a remote attacker to gain access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-27,CWE-22,

Products Affected

Vendor Product Version
zyxel zywall_vpn2s_firmware 1.12(abln.0)c0
CVE-2021-35028 HIGH

A command injection vulnerability in the CGI program of the Zyxel VPN2S firmware version 1.12 could allow an authenticated, local user to execute arbitrary OS commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.3 HIGH CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 0.7 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel zywall_vpn2s_firmware 1.12(abln.0)c0
CVE-2021-35029 HIGH

An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
zyxel usg1900_firmware *
zyxel zywall_atp100_firmware *
zyxel usg60w_firmware *
zyxel usg2200-vpn_firmware *
zyxel zywall_vpn50_firmware *
zyxel usg40w_firmware *
zyxel zywall_110_firmware *
zyxel zywall_vpn100_firmware *
zyxel zywall_vpn300_firmware *
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg60_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg40_firmware *
zyxel usg_flex_100_firmware *
zyxel usg20_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_atp700_firmware *
zyxel usg200_firmware *
zyxel usg110_firmware *
zyxel usg50_firmware *
zyxel usg310_firmware *
zyxel usg20-vpn_firmware *
zyxel zywall_310_firmware *
zyxel zywall_1100_firmware *
zyxel usg210_firmware *
zyxel usg1000_firmware *
zyxel usg2000_firmware *
zyxel usg20w_firmware *
zyxel usg300_firmware *
zyxel usg1100_firmware *
zyxel usg100_firmware *
CVE-2021-35030 LOW

A vulnerability was found in the CGI program in Zyxel GS1900-8 firmware version V2.60, that did not properly sterilize packet contents and could allow an authenticated, local user to perform a cross-site scripting (XSS) attack via a crafted LLDP packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 3.5 LOW CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L 0.9 2.5
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.2 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2021-35031 HIGH

A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XGS1210 series firmware, and XGS1250 series firmware, which could allow an authenticated LAN user to execute arbitrary OS commands via the GUI of the vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9
security@zyxel.com.tw 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-10hp_firmware *
zyxel xgs1210-12_firmware *
zyxel xgs1250-12_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2021-35032 HIGH

A vulnerability in the 'libsal.so' of the Zyxel GS1900 series firmware version 2.60 could allow an authenticated local user to execute arbitrary OS commands via a crafted function call.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@zyxel.com.tw 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-48hp_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-24hp_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2021-35033 MEDIUM

A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles the device and uses a USB-to-UART cable to connect the device, or if the remote assistance feature had been enabled by an authenticated user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-260,CWE-287,

Products Affected

Vendor Product Version
zyxel nbg7815_firmware *
zyxel nbg6818_firmware *
zyxel wsr30_firmware *
zyxel wsq60_firmware *
zyxel wsq20_firmware *
zyxel wsq50_firmware *
CVE-2021-35034 MEDIUM

An insufficient session expiration vulnerability in the CGI program of the Zyxel NBG6604 firmware could allow a remote attacker to access the device if the correct token can be intercepted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
security@zyxel.com.tw 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-613,CWE-613,

Products Affected

Vendor Product Version
zyxel nbg6604_firmware *
CVE-2021-35035 MEDIUM

A cleartext storage of sensitive information vulnerability in the Zyxel NBG6604 firmware could allow a remote, authenticated attacker to obtain sensitive information from the configuration file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-312,CWE-312,

Products Affected

Vendor Product Version
zyxel nbg6604_firmware *
CVE-2021-35036 LOW

A cleartext storage of information vulnerability in the Zyxel VMG3625-T50B firmware version V5.50(ABTL.0)b2k could allow an authenticated attacker to obtain sensitive information from the configuration file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,CWE-312,

Products Affected

Vendor Product Version
zyxel pmg5617ga_firmware *
zyxel ex5401-b0_firmware *
zyxel lte7240-m403_firmware *
zyxel lte5388-s905_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel lte3301-plus_firmware *
zyxel pmg5317-t20b_firmware *
zyxel nr5101_firmware *
zyxel lte7490-m804_firmware *
zyxel ep240p_firmware *
zyxel vmg8825-t50k_firmware *
zyxel lte7480-s905_firmware *
zyxel nr7101_firmware *
zyxel lte7480-m804_firmware *
zyxel pmg5617-t20b2_firmware *
zyxel emg5523-t50b_firmware *
zyxel lte5388-m804_firmware *
zyxel ex5501-b0_firmware *
zyxel vmg3927-t50k_firmware *
zyxel pmg5622ga_firmware *
zyxel dx3301-t0_firmware *
zyxel lte5398-m904_firmware *
zyxel dx5401-b0_firmware *
zyxel lte7461-m602_firmware *
zyxel nr7102_firmware *
zyxel lte7485-s905_firmware *
zyxel emg5723-t50k_firmware *
zyxel pm7300-t0_firmware *
zyxel ax7501-b0_firmware *
zyxel emg3525-t50b_firmware *
CVE-2021-4029 HIGH

A command injection vulnerability in the CGI program of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary OS commands via a LAN interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel nbg6816_firmware 1.00(aawb.10)c0
zyxel nbg6817_firmware *
CVE-2021-4030 MEDIUM

A cross-site request forgery vulnerability in the HTTP daemon of the Zyxel ARMOR Z1/Z2 firmware could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security@zyxel.com.tw 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
zyxel nbg6816_firmware 1.00(aawb.10)c0
zyxel nbg6817_firmware *
CVE-2021-4039 HIGH

A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel nwa1100-nh_firmware *
CVE-2021-46387 MEDIUM

ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads to bypass security restriction to achieve Cross Site Scripting, which allows an attacker able to execute arbitrary JavaScript codes to perform multiple attacks such as clipboard hijacking and session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
zyxel zywall_2_plus_internet_security_appliance_firmware -
CVE-2022-0342 HIGH

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel usg60w_firmware *
zyxel atp100w_firmware *
zyxel usg40w_firmware *
zyxel zywall_110_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel nsg300_firmware 1.33
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg60_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg40_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel nsg300_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel zywall_310_firmware *
zyxel zywall_1100_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
CVE-2022-0556 HIGH

A local privilege escalation vulnerability caused by incorrect permission assignment in some directories of the Zyxel AP Configurator (ZAC) version 1.1.4, which could allow an attacker to execute arbitrary code as a local administrator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 1.3 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,CWE-732,

Products Affected

Vendor Product Version
zyxel zyxel_ap_configurator 1.1.4
CVE-2022-0734 MEDIUM

A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
zyxel usg_60_firmware *
zyxel atp700_firmware *
zyxel usg_310_firmware *
zyxel usg_20w_firmware *
zyxel atp100w_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel usg_40_firmware *
zyxel usg2200_firmware *
zyxel usg_2200-vpn_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_60w_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_1900_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel usg20_firmware *
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel usg200_firmware *
zyxel atp200_firmware *
zyxel usg310_firmware *
zyxel usg_40w_firmware *
zyxel usg_1100_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel usg210_firmware *
zyxel vpn100_firmware *
zyxel usg_110_firmware *
zyxel usg300_firmware *
CVE-2022-0823 LOW

An improper control of interaction frequency vulnerability in Zyxel GS1200 series switches could allow a local attacker to guess the password by using a timing side-channel attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6
security@zyxel.com.tw 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-203,NVD-CWE-Other,

Products Affected

Vendor Product Version
zyxel gs1200-5_firmware *
zyxel gs1200-8_firmware *
zyxel gs1200-5hp_firmware *
zyxel gs1200-8hp_firmware *
CVE-2022-0910 MEDIUM

A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
zyxel usg_60_firmware *
zyxel atp700_firmware *
zyxel usg_310_firmware *
zyxel usg_20w_firmware *
zyxel atp100w_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel usg_40_firmware *
zyxel usg2200_firmware *
zyxel usg_2200-vpn_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_60w_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_1900_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel usg20_firmware *
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel usg200_firmware *
zyxel atp200_firmware *
zyxel usg310_firmware *
zyxel usg_40w_firmware *
zyxel usg_1100_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel usg210_firmware *
zyxel vpn100_firmware *
zyxel usg_110_firmware *
zyxel usg300_firmware *
CVE-2022-2030

A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.11 through 4.72, that could allow an authenticated attacker to access some restricted files on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel usg60w_firmware *
zyxel atp100w_firmware *
zyxel usg40w_firmware *
zyxel zywall_110_firmware *
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg60_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg40_firmware *
zyxel atp100_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel usg20-vpn_firmware *
zyxel zywall_310_firmware *
zyxel zywall_1100_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
CVE-2022-26413 HIGH

A command injection vulnerability in the CGI program of Zyxel VMG3312-T20A firmware version 5.30(ABFX.5)C0 could allow a local authenticated attacker to execute arbitrary OS commands on a vulnerable device via a LAN interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9
security@zyxel.com.tw 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel pmg5617ga_firmware *
zyxel ex5401-b0_firmware *
zyxel xmg8825-b50a_firmware *
zyxel px7501-b0_firmware *
zyxel vmg1312-t20b_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel pmg5317-t20b_firmware *
zyxel ep240p_firmware *
zyxel vmg8825-t50k_firmware *
zyxel vmg3312-t20a_firmware 5.30(abfx.5)c0
zyxel pmg5617-t20b2_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel vmg3927-t50k_firmware *
zyxel vmg8825-b50a_firmware *
zyxel pmg5622ga_firmware *
zyxel vmg8825-b50b_firmware *
zyxel dx5401-b0_firmware *
zyxel emg6726-b10a_firmware *
zyxel ex3510-b0_firmware *
zyxel xmg3927-b50a_firmware *
zyxel vmg8825-b60b_firmware *
zyxel vmg4927-b50a_firmware *
zyxel vmg3927-b50a_firmware *
zyxel vmg8825-b60a_firmware *
zyxel vmg3927-b50b_firmware *
zyxel emg5723-t50k_firmware *
zyxel pm7300-t0_firmware *
zyxel vmg3927-b60a_firmware *
zyxel ax7501-b0_firmware *
zyxel emg3525-t50b_firmware *
CVE-2022-26414 MEDIUM

A potential buffer overflow vulnerability was identified in some internal functions of Zyxel VMG3312-T20A firmware version 5.30(ABFX.5)C0, which could be exploited by a local authenticated attacker to cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H 0.8 5.2
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
zyxel pmg5617ga_firmware *
zyxel ex5401-b0_firmware *
zyxel xmg8825-b50a_firmware *
zyxel px7501-b0_firmware *
zyxel vmg1312-t20b_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel pmg5317-t20b_firmware *
zyxel ep240p_firmware *
zyxel vmg8825-t50k_firmware *
zyxel vmg3312-t20a_firmware 5.30(abfx.5)c0
zyxel pmg5617-t20b2_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel vmg3927-t50k_firmware *
zyxel vmg8825-b50a_firmware *
zyxel pmg5622ga_firmware *
zyxel vmg8825-b50b_firmware *
zyxel dx5401-b0_firmware *
zyxel emg6726-b10a_firmware *
zyxel ex3510-b0_firmware *
zyxel xmg3927-b50a_firmware *
zyxel vmg8825-b60b_firmware *
zyxel vmg4927-b50a_firmware *
zyxel vmg3927-b50a_firmware *
zyxel vmg8825-b60a_firmware *
zyxel vmg3927-b50b_firmware *
zyxel emg5723-t50k_firmware *
zyxel pm7300-t0_firmware *
zyxel vmg3927-b60a_firmware *
zyxel ax7501-b0_firmware *
zyxel emg3525-t50b_firmware *
CVE-2022-26531 MEDIUM

Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 1.8 4.2
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel wax610d_firmware *
zyxel atp100w_firmware *
zyxel nwa1123acv3_firmware *
zyxel nwa55axe_firmware *
zyxel nsg300_firmware 1.33
zyxel usg_40_firmware *
zyxel usg2200_firmware *
zyxel nxc5500_firmware *
zyxel usg_2200-vpn_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel nsg50_firmware 1.33
zyxel wac6552d-s_firmware *
zyxel usg_flex_700_firmware *
zyxel nwa210ax_firmware *
zyxel usg_1900_firmware *
zyxel nwa1302-ac_firmware *
zyxel wax630s_firmware *
zyxel usg20_firmware *
zyxel nsg300_firmware *
zyxel nwa110ax_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel wax510d_firmware *
zyxel wac500_firmware *
zyxel wac6103d-i_firmware *
zyxel usg_1100_firmware *
zyxel atp800_firmware *
zyxel wac6502d-e_firmware *
zyxel usg_110_firmware *
zyxel nwa5123-ac-hd_firmware *
zyxel usg_60_firmware *
zyxel nsg100_firmware 1.33
zyxel usg_310_firmware *
zyxel usg_20w_firmware *
zyxel nsg100_firmware *
zyxel wac6553d-s_firmware *
zyxel wac500h_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel nap303_firmware *
zyxel wax650s_firmware *
zyxel usg_60w_firmware *
zyxel wac6303d-s_firmware *
zyxel usg_flex_200_firmware *
zyxel nsg50_firmware *
zyxel wac6502d-s_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel nwa1123-ac-pro_firmware *
zyxel vpn50_firmware *
zyxel usg200_firmware *
zyxel wac5302d-s_firmware *
zyxel wac5302d-sv2_firmware *
zyxel nap353_firmware *
zyxel nwa1123-ac-hd_firmware *
zyxel nwa90ax_firmware *
zyxel usg310_firmware *
zyxel wac6503d-s_firmware *
zyxel nxc2500_firmware *
zyxel usg_40w_firmware *
zyxel vpn1000_firmware *
zyxel usg210_firmware *
zyxel vpn100_firmware *
zyxel nwa50ax_firmware *
zyxel usg300_firmware *
zyxel nap203_firmware *
CVE-2022-26532 HIGH

A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-88,CWE-78,

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel wax610d_firmware *
zyxel atp100w_firmware *
zyxel nwa1123acv3_firmware *
zyxel nwa55axe_firmware *
zyxel nsg300_firmware 1.33
zyxel usg_40_firmware *
zyxel usg2200_firmware *
zyxel nxc5500_firmware *
zyxel usg_2200-vpn_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel nsg50_firmware 1.33
zyxel wac6552d-s_firmware *
zyxel usg_flex_700_firmware *
zyxel nwa210ax_firmware *
zyxel usg_1900_firmware *
zyxel nwa1302-ac_firmware *
zyxel wax630s_firmware *
zyxel usg20_firmware *
zyxel nsg300_firmware *
zyxel nwa110ax_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel wax510d_firmware *
zyxel wac500_firmware *
zyxel wac6103d-i_firmware *
zyxel usg_1100_firmware *
zyxel atp800_firmware *
zyxel wac6502d-e_firmware *
zyxel usg_110_firmware *
zyxel nwa5123-ac-hd_firmware *
zyxel usg_60_firmware *
zyxel nsg100_firmware 1.33
zyxel usg_310_firmware *
zyxel usg_20w_firmware *
zyxel nsg100_firmware *
zyxel wac6553d-s_firmware *
zyxel wac500h_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel nap303_firmware *
zyxel wax650s_firmware *
zyxel usg_60w_firmware *
zyxel wac6303d-s_firmware *
zyxel usg_flex_200_firmware *
zyxel nsg50_firmware *
zyxel wac6502d-s_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel nwa1123-ac-pro_firmware *
zyxel vpn50_firmware *
zyxel usg200_firmware *
zyxel wac5302d-s_firmware *
zyxel wac5302d-sv2_firmware *
zyxel nap353_firmware *
zyxel nwa1123-ac-hd_firmware *
zyxel nwa90ax_firmware *
zyxel usg310_firmware *
zyxel wac6503d-s_firmware *
zyxel nxc2500_firmware *
zyxel usg_40w_firmware *
zyxel vpn1000_firmware *
zyxel usg210_firmware *
zyxel vpn100_firmware *
zyxel nwa50ax_firmware *
zyxel usg300_firmware *
zyxel nap203_firmware *
CVE-2022-30525 HIGH

A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-78,

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel atp100w_firmware *
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel atp100_firmware *
CVE-2022-30526

A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device.

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel usg60w_firmware *
zyxel atp100w_firmware *
zyxel usg40w_firmware *
zyxel zywall_110_firmware *
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg60_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg40_firmware *
zyxel atp100_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel usg20-vpn_firmware *
zyxel zywall_310_firmware *
zyxel zywall_1100_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
CVE-2022-34746

An insufficient entropy vulnerability caused by the improper use of randomness sources with low entropy for RSA key pair generation was found in Zyxel GS1900 series firmware versions prior to V2.70. This vulnerability could allow an unauthenticated attacker to retrieve a private key by factoring the RSA modulus N in the certificate of the web administration interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6
security@zyxel.com.tw 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2022-34747

A format string vulnerability in Zyxel NAS326 firmware versions prior to V5.21(AAZF.12)C0 could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas326_firmware *
CVE-2022-38546

A DNS misconfiguration was found in Zyxel NBG7510 firmware versions prior to V1.00(ABZY.3)C0, which could allow an unauthenticated attacker to access the DNS server when the device is switched to the AP mode.

Products Affected

Vendor Product Version
zyxel nbg7510_firmware *
CVE-2022-38547

A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel usg60w_firmware *
zyxel atp100w_firmware *
zyxel usg40w_firmware *
zyxel zywall_110_firmware *
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg60_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg40_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel usg20-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_310_firmware *
zyxel zywall_1100_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
CVE-2022-40602

A flaw in the Zyxel LTE3301-M209 firmware verisons prior to V1.00(ABLG.6)C0 could allow a remote attacker to access the device using an improper pre-configured password if the remote administration feature has been enabled by an authenticated administrator.

Products Affected

Vendor Product Version
zyxel lte3301-m209_firmware *
CVE-2022-40603

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel usg60w_firmware *
zyxel atp100w_firmware *
zyxel usg40w_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg60_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg40_firmware *
zyxel atp100_firmware *
CVE-2022-43389

A buffer overflow vulnerability in the library of the web server in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device.

Products Affected

Vendor Product Version
zyxel nebula_fwa710_firmware *
zyxel pm7320-b0_firmware -
zyxel nebula_fwa510_firmware *
zyxel nebula_nr7101_firmware *
zyxel lte3202-m437_firmware *
zyxel lte3316-m604_firmware *
zyxel pmg5622ga_firmware -
zyxel nr5103_firmware *
zyxel nr7102_firmware *
zyxel nr5103e_firmware -
zyxel nr7101_firmware *
zyxel pmg5317-t20b_firmware -
zyxel lte7480-m804_firmware *
zyxel pmg5617ga_firmware -
zyxel nr7103_firmware *
zyxel ep240p_firmware -
zyxel lte7490-m904_firmware *
CVE-2022-43390

A command injection vulnerability in the CGI program of Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to execute some OS commands on a vulnerable device by sending a crafted HTTP request.

Products Affected

Vendor Product Version
zyxel emg5523-t50b_firmware -
zyxel pm5100-t0_firmware -
zyxel pmg5617-t20b2_firmware -
zyxel wx5600-t0_firmware -
zyxel dx5401-b0_firmware -
zyxel wx3401-b0_firmware -
zyxel emg3525-t50b_firmware -
zyxel nr5101_firmware *
zyxel ex5401-b0_firmware -
zyxel ex5600-t1_firmware -
zyxel nebula_nr5101_firmware *
zyxel ex5501-b0_firmware -
zyxel ex5601-t1_firmware -
zyxel vmg4005-b50a_firmware -
zyxel nr7101_firmware *
zyxel pmg5317-t20b_firmware -
zyxel lte7480-m804_firmware *
zyxel ex3301-t0_firmware -
zyxel vmg8623-t50b_firmware -
zyxel vmg8825-t50k_firmware -
zyxel ex5512-t0_firmware -
zyxel ex5601-t0_firmware -
zyxel vmg3927-t50k_firmware -
zyxel pm7320-b0_firmware -
zyxel ax7501-b0_firmware -
zyxel nebula_nr7101_firmware *
zyxel ex3510-b0_firmware *
zyxel pmg5622ga_firmware -
zyxel dx4510-b1_firmware -
zyxel nr7102_firmware *
zyxel dx3301-t0_firmware -
zyxel pm3100-t0_firmware -
zyxel wx3100-t0_firmware -
zyxel ex5510-b0_firmware *
zyxel vmg4005-b60a_firmware -
zyxel pmg5617ga_firmware -
zyxel lte7490-m904_firmware *
zyxel emg5723-t50k_firmware -
zyxel pm7300-t0_firmware -
CVE-2022-43391

A buffer overflow vulnerability in the parameter of the CGI program in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to cause denial-of-service (DoS) conditions by sending a crafted HTTP request.

Products Affected

Vendor Product Version
zyxel emg5523-t50b_firmware -
zyxel pm5100-t0_firmware -
zyxel lte5398-m904_firmware -
zyxel wx5600-t0_firmware -
zyxel wx3401-b0_firmware -
zyxel emg3525-t50b_firmware -
zyxel nebula_lte3301-plus_firmware *
zyxel nr5101_firmware *
zyxel ex5501-b0_firmware -
zyxel vmg4005-b50a_firmware -
zyxel pmg5317-t20b_firmware -
zyxel lte7480-s905_firmware -
zyxel vmg8623-t50b_firmware -
zyxel vmg8825-t50k_firmware -
zyxel ex5601-t0_firmware -
zyxel vmg3927-t50k_firmware -
zyxel ax7501-b0_firmware -
zyxel nebula_nr7101_firmware *
zyxel ex3510-b0_firmware *
zyxel pmg5622ga_firmware -
zyxel dx4510-b1_firmware -
zyxel nr7102_firmware *
zyxel dx3301-t0_firmware -
zyxel pm3100-t0_firmware -
zyxel lte7240-m403_firmware -
zyxel wx3100-t0_firmware -
zyxel ex5510-b0_firmware *
zyxel vmg4005-b60a_firmware -
zyxel lte7461-m602_firmware -
zyxel pmg5617ga_firmware -
zyxel pm7300-t0_firmware -
zyxel pmg5617-t20b2_firmware -
zyxel dx5401-b0_firmware -
zyxel lte5388-m804_firmware -
zyxel ex5401-b0_firmware -
zyxel ex5600-t1_firmware -
zyxel nebula_nr5101_firmware *
zyxel ex5601-t1_firmware -
zyxel nr7101_firmware *
zyxel lte7480-m804_firmware *
zyxel ex3301-t0_firmware -
zyxel ex5512-t0_firmware -
zyxel lte7485-s905_firmware -
zyxel pm7320-b0_firmware -
zyxel lte3301-plus_firmware -
zyxel nebula_lte7461-m602_firmware *
zyxel lte7490-m904_firmware *
zyxel emg5723-t50k_firmware -
CVE-2022-43392

A buffer overflow vulnerability in the parameter of web server in Zyxel NR7101 firmware prior to V1.15(ACCC.3)C0, which could allow an authenticated attacker to cause denial-of-service (DoS) conditions by sending a crafted authorization request.

Products Affected

Vendor Product Version
zyxel emg5523-t50b_firmware -
zyxel pm5100-t0_firmware -
zyxel lte5398-m904_firmware -
zyxel wx5600-t0_firmware -
zyxel wx3401-b0_firmware -
zyxel emg3525-t50b_firmware -
zyxel nebula_lte3301-plus_firmware *
zyxel nr5101_firmware *
zyxel ex5501-b0_firmware -
zyxel vmg4005-b50a_firmware -
zyxel pmg5317-t20b_firmware -
zyxel lte7480-s905_firmware -
zyxel vmg8623-t50b_firmware -
zyxel vmg8825-t50k_firmware -
zyxel ex5601-t0_firmware -
zyxel vmg3927-t50k_firmware -
zyxel ax7501-b0_firmware -
zyxel nebula_nr7101_firmware *
zyxel ex3510-b0_firmware *
zyxel pmg5622ga_firmware -
zyxel dx4510-b1_firmware -
zyxel nr7102_firmware *
zyxel dx3301-t0_firmware -
zyxel pm3100-t0_firmware -
zyxel lte7240-m403_firmware -
zyxel wx3100-t0_firmware -
zyxel ex5510-b0_firmware *
zyxel vmg4005-b60a_firmware -
zyxel lte7461-m602_firmware -
zyxel pmg5617ga_firmware -
zyxel pm7300-t0_firmware -
zyxel pmg5617-t20b2_firmware -
zyxel dx5401-b0_firmware -
zyxel lte5388-m804_firmware -
zyxel ex5401-b0_firmware -
zyxel ex5600-t1_firmware -
zyxel nebula_nr5101_firmware *
zyxel ex5601-t1_firmware -
zyxel nr7101_firmware *
zyxel lte7480-m804_firmware *
zyxel ex3301-t0_firmware -
zyxel ex5512-t0_firmware -
zyxel lte7485-s905_firmware -
zyxel pm7320-b0_firmware -
zyxel lte3301-plus_firmware -
zyxel nebula_lte7461-m602_firmware *
zyxel lte7490-m904_firmware *
zyxel emg5723-t50k_firmware -
CVE-2022-43393

An improper check for unusual or exceptional conditions in the HTTP request processing function of Zyxel GS1920-24v2 firmware prior to V4.70(ABMH.8)C0, which could allow an unauthenticated attacker to corrupt the contents of the memory and result in a denial-of-service (DoS) condition on a vulnerable device.

Products Affected

Vendor Product Version
zyxel xgs2210-52hp_firmware *
zyxel gs1920-48v2_firmware *
zyxel xgs2210-28_firmware *
zyxel mgs3500-24s_firmware *
zyxel xgs2220-30f_firmware *
zyxel xgs1930-52hp_firmware *
zyxel xgs4600-32_firmware *
zyxel gs1915-24e_firmware *
zyxel xgs2220-54_firmware *
zyxel xgs2220-54fp_firmware *
zyxel mgs3530-28_firmware *
zyxel xs1930-12hp_firmware *
zyxel mgs3520-28_firmware 4.10(abqm.1)c0
zyxel gs1350-26hp_firmware *
zyxel gs1915-8ep_firmware *
zyxel xs1930-10_firmware *
zyxel xgs4600-52f_firmware *
zyxel xgs2210-52_firmware *
zyxel xs1930-12f_firmware *
zyxel mgs3520-28f_firmware *
zyxel gs2220-28hp_firmware *
zyxel xmg1930-30hp_firmware *
zyxel xs3800-28_firmware *
zyxel xgs2220-30_firmware *
zyxel xgs2220-54hp_firmware *
zyxel xgs1930-28hp_firmware *
zyxel gs1350-12hp_firmware *
zyxel gs2220-10hp_firmware *
zyxel gs2220-10_firmware *
zyxel gs2220-50hp_firmware *
zyxel xgs4600-32f_firmware *
zyxel xgs2210-28hp_firmware *
zyxel gs1920-24v2_firmware *
zyxel xgs1930-52_firmware *
zyxel gs1920-24hpv2_firmware *
zyxel gs1920-48hpv2_firmware *
zyxel gs1915-8_firmware *
zyxel xgs2220-30hp_firmware *
zyxel gs1350-18hp_firmware *
zyxel gs1915-24ep_firmware *
zyxel gs2220-28_firmware *
zyxel xmg1930-30_firmware *
zyxel mgs3530-28_firmware 4.10(acfj.0)c0
zyxel gs2220-50_firmware *
zyxel gs1350-6hp_firmware *
zyxel mgs3520-28_firmware *
zyxel xgs1930-28_firmware *
CVE-2022-45439

A pair of spare WiFi credentials is stored in the configuration file of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0 in cleartext. An unauthenticated attacker could use the credentials to access the WLAN service if the configuration file has been retrieved from the device by leveraging another known vulnerability.

Products Affected

Vendor Product Version
zyxel ax7501-b0_firmware *
CVE-2022-45440

A vulnerability exists in the FTP server of the Zyxel AX7501-B0 firmware prior to V5.17(ABPC.3)C0, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.

Products Affected

Vendor Product Version
zyxel ax7501-b0_firmware *
CVE-2022-45441

A cross-site scripting (XSS) vulnerability in Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.13)C0, which could allow an attacker to store malicious scripts in the Logs page of the GUI on a vulnerable device. A successful XSS attack could force an authenticated user to execute the stored malicious scripts and then result in a denial-of-service (DoS) condition when the user visits the Logs page of the GUI on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security@zyxel.com.tw 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware *
CVE-2022-45853

The privilege escalation vulnerability in the Zyxel GS1900-8 firmware version V2.70(AAHH.3) and the GS1900-8HP firmware version V2.70(AAHI.3) could allow an authenticated, local attacker with administrator privileges to execute some system commands as 'root' on a vulnerable device via SSH.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
zyxel gs1900-24e_firmware 2.70(aahk.3)
zyxel gs1900-24hpv2_firmware 2.70(abtp.3)
zyxel gs1900-48hpv2_firmware 2.70(abtq.3)
zyxel gs1900-16_firmware 2.70(aahj.3)
zyxel gs1900-48_firmware 2.70(aahn.3)
zyxel gs1900-24_firmware 2.70(aahl.3)
zyxel gs1900-8hp_firmware 2.70(aahi.3)
zyxel gs1900-10hp_firmware 2.70(aazi.3)
zyxel gs1900-24ep_firmware 2.70(abto.3)
zyxel gs1900-8_firmware 2.70(aahh.3)
CVE-2022-45854

An improper check for unusual conditions in Zyxel NWA110AX firmware verisons prior to 6.50(ABTG.0)C0, which could allow a LAN attacker to cause a temporary denial-of-service (DoS) by sending crafted VLAN frames if the MAC address of the vulnerable AP were intercepted by the attacker.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 3.1 LOW CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 1.6 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zyxel nwa110ax_firmware *
zyxel wax610d_firmware *
zyxel wax650s_firmware *
zyxel wax510d_firmware *
zyxel nwa210ax_firmware *
zyxel wax630s_firmware *
CVE-2023-22913

A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

Products Affected

Vendor Product Version
zyxel vpn1000_firmware *
zyxel vpn50_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-22914

A path traversal vulnerability in the “account_print.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel vpn1000_firmware *
zyxel vpn50_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-22915

A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.30 through 5.35, USG20(W)-VPN firmware versions 4.30 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote unauthenticated attacker to cause DoS conditions by sending a crafted HTTP request if the Facebook WiFi function were enabled on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-22916

The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series firmware versions 5.00 through 5.35, USG FLEX 50(W) firmware versions 5.10 through 5.35, USG20(W)-VPN firmware versions 5.10 through 5.35, and VPN series firmware versions 5.00 through 5.35, which fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H 2.8 5.2

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel atp100w_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-22917

A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of Zyxel ATP series firmware versions 5.10 through 5.32, USG FLEX series firmware versions 5.00 through 5.32, USG FLEX 50(W) firmware versions 5.10 through 5.32, USG20(W)-VPN firmware versions 5.10 through 5.32, and VPN series firmware versions 5.00 through 5.35, which could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel atp100w_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-22918

A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel wax655e_firmware *
zyxel wax610d_firmware *
zyxel atp100w_firmware *
zyxel nwa1123acv3_firmware *
zyxel nwa55axe_firmware *
zyxel nwa50ax-pro_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel wac6552d-s_firmware *
zyxel usg_flex_700_firmware *
zyxel nwa210ax_firmware *
zyxel nwa90ax-pro_firmware *
zyxel wax630s_firmware *
zyxel nwa110ax_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel wax510d_firmware *
zyxel usg20-vpn_firmware *
zyxel wac500_firmware *
zyxel wac6103d-i_firmware *
zyxel atp800_firmware *
zyxel wac6502d-e_firmware *
zyxel nwa5123-ac_hd_firmware *
zyxel nwa1123-ac_hd_firmware *
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel wac500h_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel nap303_firmware *
zyxel usg_flex_50w_firmware *
zyxel wax650s_firmware *
zyxel wac6303d-s_firmware *
zyxel usg_flex_200_firmware *
zyxel wac6502d-s_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel nwa1123-ac-pro_firmware *
zyxel wac6553d-e_firmware *
zyxel vpn50_firmware *
zyxel wac5302d-sv2_firmware *
zyxel nap353_firmware *
zyxel nwa90ax_firmware *
zyxel usg_flex_50_firmware *
zyxel wax640s-6e_firmware *
zyxel wac6503d-s_firmware *
zyxel vpn1000_firmware *
zyxel vpn100_firmware *
zyxel nwa50ax_firmware *
zyxel nap203_firmware *
CVE-2023-22919

The post-authentication command injection vulnerability in the Zyxel NBG6604 firmware version V1.01(ABIR.0)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel nbg6604_firmware 1.01(abir.0)c0
CVE-2023-22920

A security misconfiguration vulnerability exists in the Zyxel LTE3316-M604 firmware version V2.00(ABMP.6)C0 due to a factory default misconfiguration intended for testing purposes. A remote attacker could leverage this vulnerability to access an affected device using Telnet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel lte3202-m437_firmware 1.00(abwf.1)c0
zyxel lte3316-m604_firmware 2.00(abmp.6)c0
CVE-2023-22921

A cross-site scripting (XSS) vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to store malicious scripts using a web management interface parameter, resulting in denial-of-service (DoS) conditions on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware *
CVE-2023-22922

A buffer overflow vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote unauthenticated attacker to cause DoS conditions by sending crafted packets if Telnet is enabled on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware *
CVE-2023-22923

A format string vulnerability in a binary of the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker to cause denial-of-service (DoS) conditions on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware *
CVE-2023-22924

A buffer overflow vulnerability in the Zyxel NBG-418N v2 firmware versions prior to V1.00(AARP.14)C0 could allow a remote authenticated attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing crafted CLI commands on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel nbg-418n_firmware *
CVE-2023-27988

The post-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.13)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device remotely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas540_firmware *
zyxel nas326_firmware *
CVE-2023-27989

A buffer overflow vulnerability in the CGI program of the Zyxel NR7101 firmware versions prior to V1.00(ABUV.8)C0 could allow a remote authenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zyxel nebula_nr7101_firmware *
zyxel nr7101_firmware *
zyxel lte7480-m804_firmware *
zyxel lte7490-m904_firmware *
CVE-2023-27990

The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N 0.9 2.5

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel atp100w_firmware *
zyxel usg20-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-27991

The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel atp100w_firmware *
zyxel usg20-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
CVE-2023-27992

The pre-authentication command injection vulnerability in the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas540_firmware *
zyxel nas326_firmware *
CVE-2023-28767

The configuration parser fails to sanitize user-controlled input in the Zyxel ATP series firmware versions 5.10 through 5.36, USG FLEX series firmware versions 5.00 through 5.36,  USG FLEX 50(W) series firmware versions 5.10 through 5.36, USG20(W)-VPN series firmware versions 5.10 through 5.36, and VPN series firmware versions 5.00 through 5.36. An unauthenticated, LAN-based attacker could leverage the vulnerability to inject some operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel zywall_atp700_firmware *
zyxel zywall_atp100_firmware *
zyxel usg_20w-vpn_firmware *
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn300_firmware *
zyxel zywall_vpn_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-28768

Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zyxel xgs2220-30hp_firmware 4.80(abxo.1)
zyxel xgs2220-54_firmware 4.80(abxp.1)
zyxel xgs2220-54hp_firmware 4.80(abxq.1)
zyxel xgs2220-54fp_firmware 4.80(acce.1)
zyxel xs1930-10_firmware 4.80(abqe.1)
zyxel xs1930-12hp_firmware 4.80(abqf.1)
zyxel xgs2220-30_firmware 4.80(abxn.1)
zyxel xmg1930-30hp_firmware 4.80(acas.1)
zyxel xs1930-12f_firmware 4.80(abzv.1)
zyxel xgs2220-30f_firmware 4.80(abye.1)
zyxel xmg1930-30_firmware 4.80(acar.1)
CVE-2023-28769

The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel dx5401-b0_firmware *
CVE-2023-28770

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel dx5401-b0_firmware *
CVE-2023-28771

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel zywall_usg_100_firmware 4.73
zyxel atp700_firmware *
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel atp100w_firmware *
zyxel zywall_usg_100_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel vpn300_firmware *
zyxel zywall_usg_310_firmware 4.73
zyxel vpn1000_firmware *
zyxel atp800_firmware *
zyxel vpn100_firmware *
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_usg_310_firmware *
CVE-2023-33009

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel usg_60_firmware *
zyxel atp700_firmware 5.36
zyxel atp700_firmware *
zyxel usg_20w-vpn_firmware 5.36
zyxel usg_40_firmware 4.73
zyxel usg_60w_firmware 4.73
zyxel usg20-vpn_firmware 5.36
zyxel atp100w_firmware *
zyxel usg_flex_50_firmware 5.36
zyxel vpn300_firmware *
zyxel usg_40_firmware *
zyxel vpn50_firmware 5.36
zyxel usg_flex_50w_firmware *
zyxel usg_flex_700_firmware 5.36
zyxel usg_flex_100w_firmware 5.36
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_60w_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_200_firmware 5.36
zyxel usg_flex_500_firmware 5.36
zyxel usg_flex_700_firmware *
zyxel usg_60_firmware 4.73
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel atp200_firmware 5.36
zyxel usg_flex_50w_firmware 5.36
zyxel vpn300_firmware 5.36
zyxel vpn1000_firmware 5.36
zyxel atp500_firmware 5.36
zyxel atp800_firmware 5.36
zyxel vpn50_firmware *
zyxel usg_20w-vpn_firmware *
zyxel atp200_firmware *
zyxel usg20-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel usg_40w_firmware *
zyxel vpn1000_firmware *
zyxel usg_40w_firmware 4.73
zyxel atp800_firmware *
zyxel vpn100_firmware 5.36
zyxel vpn100_firmware *
zyxel atp100_firmware 5.36
zyxel usg_flex_100_firmware 5.36
zyxel atp100w_firmware 5.36
CVE-2023-33010

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel usg_60_firmware *
zyxel atp700_firmware 5.36
zyxel atp700_firmware *
zyxel usg_20w-vpn_firmware 5.36
zyxel usg_40_firmware 4.73
zyxel usg_60w_firmware 4.73
zyxel usg20-vpn_firmware 5.36
zyxel atp100w_firmware *
zyxel usg_flex_50_firmware 5.36
zyxel vpn300_firmware *
zyxel usg_40_firmware *
zyxel vpn50_firmware 5.36
zyxel usg_flex_50w_firmware *
zyxel usg_flex_700_firmware 5.36
zyxel usg_flex_100w_firmware 5.36
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_60w_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_200_firmware 5.36
zyxel usg_flex_500_firmware 5.36
zyxel usg_flex_700_firmware *
zyxel usg_60_firmware 4.73
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel atp200_firmware 5.36
zyxel usg_flex_50w_firmware 5.36
zyxel vpn300_firmware 5.36
zyxel vpn1000_firmware 5.36
zyxel atp500_firmware 5.36
zyxel atp800_firmware 5.36
zyxel vpn50_firmware *
zyxel atp200_firmware *
zyxel usg20-vpn_firmware *
zyxel usg_40w_firmware *
zyxel vpn1000_firmware *
zyxel usg_40w_firmware 4.73
zyxel atp800_firmware *
zyxel vpn100_firmware 5.36
zyxel vpn100_firmware *
zyxel atp100_firmware 5.36
zyxel usg_flex_100_firmware 5.36
zyxel atp100w_firmware 5.36
CVE-2023-33011

A format string vulnerability in the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel zywall_atp700_firmware *
zyxel zywall_atp100_firmware *
zyxel usg_20w-vpn_firmware *
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn300_firmware *
zyxel zywall_vpn_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-33012

A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel zywall_atp700_firmware *
zyxel zywall_atp100_firmware *
zyxel usg_20w-vpn_firmware *
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn300_firmware *
zyxel zywall_vpn_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-33013

A post-authentication command injection vulnerability in the NTP feature of Zyxel NBG6604 firmware version V1.01(ABIR.1)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel nbg6604_firmware 1.01(abir.1)c0
CVE-2023-34138

A command injection vulnerability in the hotspot management feature of the Zyxel ATP series firmware versions 4.60 through 5.36 Patch 2, USG FLEX series firmware versions 4.60 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 4.60 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 4.60 through 5.36 Patch 2, and VPN series firmware versions 4.60 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
zyxel zywall_atp700_firmware *
zyxel zywall_atp100_firmware *
zyxel usg_20w-vpn_firmware *
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn300_firmware *
zyxel zywall_vpn_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-34139

A command injection vulnerability in the Free Time WiFi hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2 and VPN series firmware versions 4.20 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn300_firmware *
zyxel zywall_vpn_50_firmware *
zyxel usg_flex_100w_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-34140

A buffer overflow vulnerability in the Zyxel ATP series firmware versions 4.32 through 5.36 Patch 2, USG FLEX series firmware versions 4.50 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 4.16 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 4.16 through 5.36 Patch 2, VPN series firmware versions 4.30 through 5.36 Patch 2, NXC2500 firmware versions 6.10(AAIG.0) through 6.10(AAIG.3), and NXC5500 firmware versions 6.10(AAOS.0) through 6.10(AAOS.4), could allow an unauthenticated, LAN-based attacker to cause denial of service (DoS) conditions by sending a crafted request to the CAPWAP daemon.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zyxel zywall_atp100_firmware *
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel zywall_vpn300_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel nxc5500_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_atp700_firmware *
zyxel usg_20w-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn_50_firmware *
zyxel nxc2500_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-34141

A command injection vulnerability in the access point (AP) management feature of the Zyxel ATP series firmware versions 5.00 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.00 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.00 through 5.36 Patch 2, VPN series firmware versions 5.00 through 5.36 Patch 2, NXC2500 firmware versions 6.10(AAIG.0) through 6.10(AAIG.3), and NXC5500 firmware versions 6.10(AAOS.0) through 6.10(AAOS.4), could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the managed AP list in advance.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.0 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
zyxel zywall_atp100_firmware *
zyxel zywall_vpn2s_firmware *
zyxel zywall_vpn_300_firmware *
zyxel zywall_vpn50_firmware *
zyxel zywall_vpn100_firmware *
zyxel zywall_vpn300_firmware *
zyxel usg_flex_100w_firmware *
zyxel zywall_atp800_firmware *
zyxel zywall_atp100w_firmware *
zyxel nxc5500_firmware *
zyxel usg_2200-vpn_firmware *
zyxel usg_flex_50w_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel usg_flex_700_firmware *
zyxel usg_flex_100_firmware *
zyxel zywall_atp200_firmware *
zyxel zywall_atp500_firmware *
zyxel zywall_atp700_firmware *
zyxel usg_20w-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel zywall_vpn_50_firmware *
zyxel nxc2500_firmware *
zyxel zywall_vpn_100_firmware *
CVE-2023-35136

An improper input validation vulnerability in the “Quagga” package of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to access configuration files on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2023-35137

An improper authentication vulnerability in the authentication module of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-35138

A command injection vulnerability in the “show_zysync_server_contents” function of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-35139

A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5.10 through 5.37, USG FLEX series firmware versions 5.00 through 5.37, USG FLEX 50(W) series firmware versions 5.10 through 5.37, USG20(W)-VPN series firmware versions 5.10 through 5.37, and VPN series firmware versions 5.00 through 5.37, could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security@zyxel.com.tw 5.2 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.1 2.7

Products Affected

Vendor Product Version
zyxel zld *
CVE-2023-35140

The improper privilege management vulnerability in the Zyxel GS1900-24EP switch firmware version V2.70(ABTO.5) could allow an authenticated local user with read-only access to modify system settings on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2023-37925

An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access system files on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel wax655e_firmware *
zyxel nwa110ax_firmware *
zyxel wax610d_firmware *
zyxel nwa1123acv3_firmware *
zyxel wax510d_firmware *
zyxel nwa90ax_firmware *
zyxel wac500_firmware *
zyxel wac500h_firmware *
zyxel wax640s-6e_firmware *
zyxel wbe660s_firmware *
zyxel nwa55axe_firmware *
zyxel nwa50ax-pro_firmware *
zyxel wax650s_firmware *
zyxel zld *
zyxel nwa210ax_firmware *
zyxel nwa90ax-pro_firmware *
zyxel nwa50ax_firmware *
zyxel wax630s_firmware *
CVE-2023-37926

A buffer overflow vulnerability in the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2023-37927

The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-37928

A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-37929

The buffer overflow vulnerability in the CGI program of the VMG3625-T50B firmware version V5.50(ABPM.8)C0 could allow an authenticated remote attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zyxel ex5501-b0_firmware 5.17(abry.4)c0
zyxel ex3500-t0_firmware 5.44(achr.0)c0
zyxel ex5600-t1_firmware 5.70(acdz.2)c0
zyxel wx5610-b0_firmware 5.18(acgj.0)c0
zyxel ex3301-t0_firmware 5.50(aby.4)c0
zyxel vmg3625-t50b_firmware 5.50(abpm.8)c0
zyxel ex3501-t0_firmware 5.44(achr.0)c0
zyxel ex5601-t1_firmware 5.70(acdz.2)c0
zyxel vmg8825-t50k_firmware 5.50(abom.8.2)c0
zyxel vmg8623-t50b_firmware 5.50(abpm.8)c0
zyxel emg5723-t50k_firmware 5.50(abom.8.2)c0
zyxel vmg3927-t50k_firmware 5.50(abom.8.2)c0
zyxel dx5401-b1_firmware 5.17(abyo.5)c0
zyxel dx3300-t1_firmware 5.50(aby.4)c0
zyxel ex5401-b0_firmware 5.17(abyo.5)c0
zyxel dx3301-t0_firmware 5.50(aby.4)c0
zyxel ax7501-b0_firmware 5.17(abpc.4)c0
zyxel emg3525-t50b_firmware 5.50(abpm.8)c0
zyxel wx5600-t0_firmware 5.70(aceb.2)c0
zyxel dx4510_firmware 5.17(abyl.5)c0
zyxel ex5401-b1_firmware 5.17(abyo.5)c0
zyxel ex7710-b0_firmware 5.18(acak.0)c0
zyxel ex3300-t1_firmware 5.50(aby.4)c0
zyxel ex5512-t0_firmware 5.70(aceg.2)c0
zyxel ax7501-b1_firmware 5.17(abpc.4)c0
zyxel dx5401-b0_firmware 5.17(abyo.5)c0
zyxel emg5523-t50b_firmware 5.50(abpm.8)c0
zyxel ex5601-t0_firmware 5.70(acdz.2)c0
zyxel ex3510_firmware 5.17(abup.9)c0
zyxel ex5510_firmware 5.17(abqx.8)c0
zyxel wx3100-t0_firmware 5.50(abl.3)c0
zyxel nbg7510_firmware 1.00(abzy.5)c0
CVE-2023-43314

** UNSUPPORTED WHEN ASSIGNED **The buffer overflow vulnerability in the Zyxel PMG2005-T20B firmware version V1.00(ABNK.2)b11_C0 could allow an unauthenticated attacker to cause a denial of service condition via a crafted uid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel pmg2005-t20b_firmware -
CVE-2023-4397

A buffer overflow vulnerability in the Zyxel ATP series firmware version 5.37, USG FLEX series firmware version 5.37, USG FLEX 50(W) series firmware version 5.37, and USG20(W)-VPN series firmware version 5.37, could allow an authenticated local attacker with administrator privileges to cause denial-of-service (DoS) conditions by executing the CLI command with crafted strings on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.8 3.6

Products Affected

Vendor Product Version
zyxel zld 5.37
CVE-2023-4398

An integer overflow vulnerability in the source code of the QuickSec IPSec toolkit used in the VPN feature of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions on an affected device by sending a crafted IKE packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2023-4473

A command injection vulnerability in the web server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-4474

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-5372

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2023-5593

The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software version 4.0.4.0 could allow an authenticated local user to gain a privilege escalation by sending a crafted CREATE message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zyxel secuextender_ssl_vpn 4.0.4.0
CVE-2023-5650

An improper privilege management vulnerability in the ZySH of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2023-5797

An improper privilege management vulnerability in the debug CLI command of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, VPN series firmware versions 4.30 through 5.37, NWA50AX firmware version 6.29(ABYW.2), WAC500 firmware version 6.65(ABVS.1), WAX300H firmware version 6.60(ACHF.1), and WBE660S firmware version 6.65(ACGG.1), could allow an authenticated local attacker to access the administrator’s logs on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel wax655e_firmware *
zyxel nwa110ax_firmware *
zyxel wax610d_firmware *
zyxel nwa1123acv3_firmware *
zyxel wax510d_firmware *
zyxel nwa90ax_firmware *
zyxel wac500_firmware *
zyxel wac500h_firmware *
zyxel wax640s-6e_firmware *
zyxel wbe660s_firmware *
zyxel nwa55axe_firmware *
zyxel nwa50ax-pro_firmware *
zyxel wax650s_firmware *
zyxel zld *
zyxel nwa210ax_firmware *
zyxel nwa90ax-pro_firmware *
zyxel nwa50ax_firmware *
zyxel wax630s_firmware *
CVE-2023-5960

An improper privilege management vulnerability in the hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.37 and VPN series firmware versions 4.30 through 5.37 could allow an authenticated local attacker to access the system files on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2023-6397

A null pointer dereference vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1 and USG FLEX series firmware versions from 4.50 through 5.37 Patch 1 could allow a LAN-based attacker to cause denial-of-service (DoS) conditions by downloading a crafted RAR compressed file onto a LAN-side host if the firewall has the “Anti-Malware” feature enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zyxel usg_flex_700h_firmware *
zyxel atp700_firmware *
zyxel usg_flex_100ax_firmware 5.37
zyxel usg_flex_200_firmware 5.37
zyxel atp100w_firmware *
zyxel usg_flex_700h_firmware 5.37
zyxel usg_flex_100h_firmware *
zyxel usg_flex_100_firmware 5.37
zyxel usg_flex_100w_firmware *
zyxel usg_flex_200hp_firmware *
zyxel usg_flex_500_firmware 5.37
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel atp500_firmware 5.37
zyxel usg_flex_700_firmware *
zyxel usg_flex_100ax_firmware *
zyxel usg_flex_100w_firmware 5.37
zyxel usg_flex_500h_firmware 5.37
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel usg_flex_200hp_firmware 5.37
zyxel usg_flex_50_firmware 5.37
zyxel atp200_firmware *
zyxel usg_flex_200h_firmware *
zyxel atp200_firmware 5.37
zyxel usg_flex_50w_firmware 5.37
zyxel atp100w_firmware 5.37
zyxel usg_flex_200h_firmware 5.37
zyxel usg_flex_50_firmware *
zyxel atp100_firmware 5.37
zyxel usg_flex_100h_firmware 5.37
zyxel atp800_firmware *
zyxel atp800_firmware 5.37
zyxel atp700_firmware 5.37
zyxel usg_flex_500h_firmware *
zyxel usg_flex_700_firmware 5.37
CVE-2023-6398

A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1, NWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel usg_flex_700h_firmware *
zyxel atp700_firmware *
zyxel wax655e_firmware *
zyxel usg_flex_100ax_firmware 5.37
zyxel usg_flex_200_firmware 5.37
zyxel wax610d_firmware *
zyxel atp100w_firmware *
zyxel nwa1123acv3_firmware *
zyxel usg_flex_700h_firmware 5.37
zyxel usg_flex_100_firmware 5.37
zyxel usg20w-vpn_firmware *
zyxel nwa55axe_firmware *
zyxel nwa50ax-pro_firmware *
zyxel usg_flex_500_firmware 5.37
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_700_firmware *
zyxel nwa210ax_firmware *
zyxel nwa90ax-pro_firmware *
zyxel usg_flex_100ax_firmware *
zyxel usg_flex_100w_firmware 5.37
zyxel usg_flex_500h_firmware 5.37
zyxel wax630s_firmware *
zyxel nwa110ax_firmware *
zyxel atp200_firmware *
zyxel usg_flex_50w_firmware 5.37
zyxel wax510d_firmware *
zyxel atp100w_firmware 5.37
zyxel usg20-vpn_firmware *
zyxel wac500_firmware *
zyxel atp100_firmware 5.37
zyxel usg_flex_100h_firmware 5.37
zyxel atp800_firmware *
zyxel atp800_firmware 5.37
zyxel usg20-vpn_firmware 5.37
zyxel atp700_firmware 5.37
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel usg_flex_100h_firmware *
zyxel wac500h_firmware *
zyxel wbe660s_firmware *
zyxel usg_flex_100w_firmware *
zyxel usg_flex_200hp_firmware *
zyxel usg_flex_50w_firmware *
zyxel wax650s_firmware *
zyxel usg_flex_200_firmware *
zyxel atp500_firmware 5.37
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel usg_flex_200hp_firmware 5.37
zyxel usg_flex_50_firmware 5.37
zyxel usg_flex_200h_firmware *
zyxel atp200_firmware 5.37
zyxel usg_flex_200h_firmware 5.37
zyxel nwa90ax_firmware *
zyxel usg_flex_50_firmware *
zyxel wax640s-6e_firmware *
zyxel uos 1.10
zyxel nwa50ax_firmware *
zyxel usg20w-vpn_firmware 5.37
zyxel wax300h_firmware *
zyxel usg_flex_500h_firmware *
zyxel usg_flex_700_firmware 5.37
CVE-2023-6399

A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the “deviceid” daemon by sending a crafted hostname to an affected device if it has the “Device Insight” feature enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.1 3.6

Products Affected

Vendor Product Version
zyxel usg_flex_700h_firmware *
zyxel atp700_firmware *
zyxel usg_flex_100ax_firmware 5.37
zyxel usg_flex_200_firmware 5.37
zyxel atp100w_firmware *
zyxel usg_flex_700h_firmware 5.37
zyxel usg_flex_100h_firmware *
zyxel usg_flex_100_firmware 5.37
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel usg_flex_200hp_firmware *
zyxel usg_flex_500_firmware 5.37
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel atp500_firmware 5.37
zyxel usg_flex_700_firmware *
zyxel usg_flex_100ax_firmware *
zyxel usg_flex_100w_firmware 5.37
zyxel usg_flex_500h_firmware 5.37
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel usg_flex_200hp_firmware 5.37
zyxel usg_flex_50_firmware 5.37
zyxel atp200_firmware *
zyxel usg_flex_200h_firmware *
zyxel atp200_firmware 5.37
zyxel usg_flex_50w_firmware 5.37
zyxel atp100w_firmware 5.37
zyxel usg_flex_200h_firmware 5.37
zyxel usg20-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel atp100_firmware 5.37
zyxel usg_flex_100h_firmware 5.37
zyxel atp800_firmware *
zyxel atp800_firmware 5.37
zyxel usg20-vpn_firmware 5.37
zyxel uos 1.10
zyxel atp700_firmware 5.37
zyxel usg20w-vpn_firmware 5.37
zyxel usg_flex_500h_firmware *
zyxel usg_flex_700_firmware 5.37
CVE-2023-6764

A format string vulnerability in a function of the IPSec VPN feature in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, and USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer; however, such an attack would require detailed knowledge of an affected device’s memory layout and configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
zyxel usg_flex_700h_firmware *
zyxel atp700_firmware *
zyxel usg_flex_100ax_firmware 5.37
zyxel usg_flex_200_firmware 5.37
zyxel atp100w_firmware *
zyxel usg_flex_700h_firmware 5.37
zyxel usg_flex_100h_firmware *
zyxel usg_flex_100_firmware 5.37
zyxel usg20w-vpn_firmware *
zyxel usg_flex_100w_firmware *
zyxel usg_flex_200hp_firmware *
zyxel usg_flex_500_firmware 5.37
zyxel usg_flex_50w_firmware *
zyxel atp500_firmware *
zyxel usg_flex_500_firmware *
zyxel usg_flex_200_firmware *
zyxel atp500_firmware 5.37
zyxel usg_flex_700_firmware *
zyxel usg_flex_100ax_firmware *
zyxel usg_flex_100w_firmware 5.37
zyxel usg_flex_500h_firmware 5.37
zyxel atp100_firmware *
zyxel usg_flex_100_firmware *
zyxel usg_flex_200hp_firmware 5.37
zyxel usg_flex_50_firmware 5.37
zyxel atp200_firmware *
zyxel usg_flex_200h_firmware *
zyxel atp200_firmware 5.37
zyxel usg_flex_50w_firmware 5.37
zyxel atp100w_firmware 5.37
zyxel usg_flex_200h_firmware 5.37
zyxel usg20-vpn_firmware *
zyxel usg_flex_50_firmware *
zyxel atp100_firmware 5.37
zyxel usg_flex_100h_firmware 5.37
zyxel atp800_firmware *
zyxel atp800_firmware 5.37
zyxel usg20-vpn_firmware 5.37
zyxel atp700_firmware 5.37
zyxel usg20w-vpn_firmware 5.37
zyxel usg_flex_500h_firmware *
zyxel usg_flex_700_firmware 5.37
CVE-2024-0816

The buffer overflow vulnerability in the DX3300-T1 firmware version V5.50(ABVY.4)C0 could allow an authenticated local attacker to cause denial of service (DoS) conditions by executing the CLI command with crafted strings on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
zyxel ex5501-b0_firmware 5.17(abry.4)c0
zyxel nbg7510_firmware 1.00(abzy.6)c0
zyxel nr5103ev2_firmware 1.00(aciq.0)c0
zyxel lte3301-plus_firmware 1.00(abqu.5)c0
zyxel ex3301-t0_firmware 5.50(aby.4)c0
zyxel vmg3625-t50b_firmware 5.50(abpm.8)c0
zyxel nebula_fwa505_firmware 1.18(acko.1)c0
zyxel nebula_nr7101_firmware 1.16(accc.0)c0
zyxel ex3501-t0_firmware 5.44(achr.0)c0
zyxel ex3510_firmware 5.17(abup.11)c0
zyxel nr5103e_firmware 1.00(acdj.1)b3
zyxel ex5601-t1_firmware 5.70(acdz.2)c0
zyxel vmg3927-t50k_firmware 5.50(abom.8.2)c0
zyxel nr7501_firmware 1.00(aceh.0)c0
zyxel dx5401-b1_firmware 5.17(abyo.5)c0
zyxel dx3301-t0_firmware 5.50(aby.4)c0
zyxel ax7501-b0_firmware 5.17(abpc.4)c0
zyxel wx3401-b0_firmware 5.17(abe.2)c0
zyxel lte7480-m804_firmware 1.00(abra.8)c0
zyxel nr7303_firmware 1.00(acei.0)c0
zyxel ex5401-b1_firmware 5.17(abyo.5)c0
zyxel lte7490-m904_firmware 1.00(abqy.7)c0
zyxel ex5512-t0_firmware 5.70(aceg.2)c0
zyxel nr7103_firmware 1.00(accz.2)c0
zyxel nr7101_firmware 1.00(abu.9)c0
zyxel nebula_fwa710_firmware 1.17(acgc.0)c0
zyxel nr7102_firmware 1.00(abyd.2)c0
zyxel pm5100-t0_firmware 5.42(acbf.1.2)c0
zyxel emg5523-t50b_firmware 5.50(abpm.8)c0
zyxel dx4510_firmware 5.17(abyl.6)c0
zyxel nebula_nr5101_firmware 1.16(accg.0)c0
zyxel ex3320-t1_firmware 5.71(yap.0)c0
zyxel px3321-t1_firmware 5.44(acjb.0)c0
zyxel wx5600-t0_firmware 5.70(acdz.2)c0
zyxel ex3500-t0_firmware 5.44(achr.0)c0
zyxel nebula_lte3301-plus_firmware 1.17(acca.0)c0
zyxel ex5600-t1_firmware 5.70(acdz.2)c0
zyxel wx5610-b0_firmware 5.18(acgj.0)c0
zyxel lte5388-m804_firmware 1.00(absq.4)c0
zyxel pm3100-t0_firmware 5.42(acbf.1.2)c0
zyxel lte7240-m403_firmware 2.00(abmg.7)c0
zyxel pm7300-t0_firmware 5.42(abyy.1)c0
zyxel vmg8825-t50k_firmware 5.50(abom.8.2)c0
zyxel vmg8623-t50b_firmware 5.50(abpm.8)c0
zyxel emg5723-t50k_firmware 5.50(abom.8.2)c0
zyxel nr5307_firmware 1.00(acjt.0)b4
zyxel nr5103_firmware 4.19(abyc.5)c0
zyxel nebula_fwa510_firmware 1.18(acgd.1)c0
zyxel dx3300-t1_firmware 5.50(aby.4)c0
zyxel ex5401-b0_firmware 5.17(abyo.5)c0
zyxel emg3525-t50b_firmware 5.50(abpm.8)c0
zyxel ex7710-b0_firmware 5.18(acak.0)c0
zyxel ex3300-t1_firmware 5.50(aby.4)c0
zyxel ex3320-t0_firmware 5.71(yak.2)d0
zyxel vmg4005-b50a_firmware 5.17(abqa.2)c0
zyxel ax7501-b1_firmware 5.17(abpc.4)c0
zyxel dx5401-b0_firmware 5.17(abyo.5)c0
zyxel lte3202-m437_firmware 1.00(abwf.3)c0
zyxel ex5601-t0_firmware 5.70(acdz.2)c0
zyxel ex5510_firmware 5.17(abqx.9)c0
zyxel vmg4005-b60a_firmware 5.17(abqa.2)c0
zyxel nr7302_firmware 1.00(acha.2)c0
zyxel nebula_lte7461-m602_firmware 1.15(ace.3)c0
zyxel wx3100-t0_firmware 5.50(abl.3)c0
zyxel lte5398-m904_firmware 1.00(abq.4)c0
CVE-2024-11253

A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel dm4200-b0_firmware *
zyxel vmg3927-t50k_firmware *
zyxel vmg8825-t50k_firmware *
zyxel vmg4005-b60a_firmware *
zyxel emg5723-t50k_firmware *
CVE-2024-11494

**UNSUPPORTED WHEN ASSIGNED** The improper authentication vulnerability in the Zyxel P-6101C ADSL modem firmware version P-6101CSA6AP_20140331 could allow an unauthenticated attacker to read some device information via a crafted HTTP HEAD method.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel p6101c_firmware p-6101cs6ap_20140331
CVE-2024-11667

A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-12009

A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel ex5512-t0_firmware *
zyxel vmg8623-t50b_firmware *
zyxel px5301-t0_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel ax7501-b0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-12010

A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel wx3401-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel ex5512-t0_firmware *
zyxel vmg8623-t50b_firmware *
zyxel px5301-t0_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel ax7501-b0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-12398

An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited privileges to escalate their privileges to that of an administrator, enabling them to upload configuration files to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel wax655e_firmware *
zyxel wbe530_firmware *
zyxel nwa110ax_firmware *
zyxel wax610d_firmware *
zyxel nwa130be_firmware *
zyxel nwa1123acv3_firmware *
zyxel wax510d_firmware *
zyxel nwa90ax_pro_firmware *
zyxel nwa90ax_firmware *
zyxel wac500_firmware *
zyxel wac500h_firmware *
zyxel wax640s-6e_firmware *
zyxel wbe660s_firmware *
zyxel nwa50ax_pro_firmware *
zyxel nwa55axe_firmware *
zyxel usg_lite_60ax_firmware *
zyxel wax650s_firmware *
zyxel nwa210ax_firmware *
zyxel nwa50ax_firmware *
zyxel wax630s_firmware *
zyxel wax300h_firmware *
CVE-2024-1575

The improper privilege management vulnerability in the Zyxel WBE660S firmware version 6.70(ACGG.3) and earlier versions could allow an authenticated user to escalate privileges and download the configuration files on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel wax655e_firmware *
zyxel nwa110ax_firmware *
zyxel wax610d_firmware *
zyxel nwa1123acv3_firmware *
zyxel wax510d_firmware *
zyxel nwa90ax_firmware *
zyxel wac500_firmware *
zyxel wac500h_firmware *
zyxel wax640s-6e_firmware *
zyxel wbe660s_firmware *
zyxel nwa55axe_firmware *
zyxel nwa50ax-pro_firmware *
zyxel wax650s_firmware *
zyxel nwa210ax_firmware *
zyxel nwa90ax-pro_firmware *
zyxel nwa50ax_firmware *
zyxel wax630s_firmware *
zyxel wax300h_firmware *
CVE-2024-29972

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2024-29973

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2024-29974

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2024-29975

** UNSUPPORTED WHEN ASSIGNED ** The improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2024-29976

** UNSUPPORTED WHEN ASSIGNED ** The improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware *
CVE-2024-38266

An improper restriction of operations within the bounds of a memory buffer in the parameter type parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel wx3401-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel ex5512-t0_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel pm3100-t0_firmware *
zyxel dx4510-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel pm5100-t0_firmware *
zyxel scr50axe_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ax7501-b0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-38267

An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel wx3401-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel ex5512-t0_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel pm3100-t0_firmware *
zyxel dx4510-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel pm5100-t0_firmware *
zyxel scr50axe_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-38268

An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel wx3401-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel ex5512-t0_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel pm3100-t0_firmware *
zyxel dx4510-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel pm5100-t0_firmware *
zyxel scr50axe_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-38269

An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a thread crash on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel wx3401-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel ex5512-t0_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel pm3100-t0_firmware *
zyxel dx4510-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel pm5100-t0_firmware *
zyxel scr50axe_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-40890

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel vmg1312-b10a_firmware -
zyxel sbg3500-n000_firmware -
zyxel vmg3926-b10b_firmware -
zyxel vmg4325-b10a_firmware -
zyxel sbg3500-nb00_firmware -
zyxel vmg4380-b10a_firmware -
zyxel vmg8924-b10a_firmware -
zyxel vmg8324-b10a_firmware -
zyxel vmg3312-b10a_firmware -
zyxel vmg1312-b10e_firmware -
zyxel sbg3300-nb00_firmware -
zyxel vmg1312-b10b_firmware -
zyxel sbg3300-n000_firmware -
zyxel vmg3313-b10a_firmware -
CVE-2024-40891

**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel vmg1312-b10a_firmware -
zyxel sbg3500-n000_firmware -
zyxel vmg3926-b10b_firmware -
zyxel vmg4325-b10a_firmware -
zyxel sbg3500-nb00_firmware -
zyxel vmg4380-b10a_firmware -
zyxel vmg8924-b10a_firmware -
zyxel vmg8324-b10a_firmware -
zyxel vmg3312-b10a_firmware -
zyxel vmg1312-b10e_firmware -
zyxel sbg3300-nb00_firmware -
zyxel vmg1312-b10b_firmware -
zyxel sbg3300-n000_firmware -
zyxel vmg3313-b10a_firmware -
CVE-2024-42057

A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. Note that this attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-42058

A null pointer dereference vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V5.20 through V5.38, and USG20(W)-VPN series firmware versions from V5.20 through V5.38 could allow an unauthenticated attacker to cause DoS conditions by sending crafted packets to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-42059

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V5.00 through V5.38, USG FLEX series firmware versions from V5.00 through V5.38, USG FLEX 50(W) series firmware versions from V5.00 through V5.38, and USG20(W)-VPN series firmware versions from V5.00 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-42060

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an authenticated attacker with administrator privileges to execute some OS commands on an affected device by uploading a crafted internal user agreement file to the vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-42061

A reflected cross-site scripting (XSS) vulnerability in the CGI program "dynamic_script.cgi" of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-5412

A buffer overflow vulnerability in the library "libclinkc" of the Zyxel VMG8825-T50K firmware version 5.50(ABOM.8)C0 could allow an unauthenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx3401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel nebula_fwa510_firmware *
zyxel wx3100-t0_firmware *
zyxel nebula_lte3301-plus_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel emg5523-t50b_firmware *
zyxel nebula_fwa710_firmware *
zyxel vmg3927-t50k_firmware *
zyxel nr5103ev2_firmware *
zyxel scr50axe_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel nr7501_firmware *
zyxel ex3300-t0_firmware *
zyxel nr7303_firmware *
zyxel nr5103_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel nr7302_firmware *
zyxel nebula_fwa505_firmware *
zyxel ex3301-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel nr5307_firmware *
zyxel ex5401-b1_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel nr7103_firmware *
zyxel ax7501-b0_firmware *
zyxel emg3525-t50b_firmware *
CVE-2024-6342

**UNSUPPORTED WHEN ASSIGNED** A command injection vulnerability in the export-cgi program of Zyxel NAS326 firmware versions through V5.21(AAZF.18)C0 and NAS542 firmware versions through V5.21(ABAG.15)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel nas542_firmware *
zyxel nas326_firmware 5.21(aazf.18)c0
zyxel nas326_firmware *
zyxel nas542_firmware 5.21(abag.15)c0
CVE-2024-6343

A buffer overflow vulnerability in the CGI program of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-7203

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.60 through V5.38 and USG FLEX series firmware versions from V4.60 through V5.38 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device by executing a crafted CLI command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel zld *
CVE-2024-8234

** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the functions formSysCmd(), formUpgradeCert(), and formDelcert() in the Zyxel NWA1100-N firmware version 1.00(AACE.1)C0 could allow an unauthenticated attacker to execute some OS commands to access system files on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zyxel nwaw1100-n_firmware 1.00(aace.1)c0
CVE-2024-8748

A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmware versions through V5.50(ABOM.8.4)C0 could allow an attacker to cause a temporary denial of service (DoS) condition against the web management interface by sending a crafted HTTP POST request to a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel pm7500-t0_firmware *
zyxel wx3401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel ex5600-t1_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel nebula_lte3301-plus_firmware *
zyxel ex2210-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel emg5523-t50b_firmware *
zyxel lte5388-m804_firmware *
zyxel ex5501-b0_firmware *
zyxel vmg3927-t50k_firmware *
zyxel lte5398-m904_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel nebula_nr7101_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel nr7102_firmware *
zyxel vmg4927-b50a_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg4005-b50b_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel lte3301-plus_firmware *
zyxel pm3100-t0_firmware *
zyxel nebula_nr5101_firmware *
zyxel nr7101_firmware *
zyxel ax7501-b1_firmware *
zyxel lte7480-m804_firmware *
zyxel ex5401-b1_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel emg6726-b10a_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel vmg3927-b50b_firmware *
zyxel emg5723-t50k_firmware *
zyxel ax7501-b0_firmware *
zyxel lte7490-m904_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-8881

A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system (OS) commands on an affected device by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2024-8882

A buffer overflow vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to cause denial of service (DoS) conditions via a crafted URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 0.9 3.6

Products Affected

Vendor Product Version
zyxel gs1900-24_firmware *
zyxel gs1900-24ep_firmware *
zyxel gs1900-16_firmware *
zyxel gs1900-8hp_firmware *
zyxel gs1900-24e_firmware *
zyxel gs1900-10hp_firmware *
zyxel gs1900-24hpv2_firmware *
zyxel gs1900-8_firmware *
zyxel gs1900-48hpv2_firmware *
zyxel gs1900-48_firmware *
CVE-2024-9197

A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B firmware versions through V5.50(ABPM.9.2)C0 could allow an authenticated attacker with administrator privileges to cause a temporary denial of service (DoS) condition against the web management interface by sending a crafted HTTP GET request to a vulnerable device if the function ZyEE is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx5600-t0_firmware *
zyxel ex5401-b0_firmware *
zyxel dx3300-t0_firmware *
zyxel ex5600-t1_firmware *
zyxel dx3300-t1_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel px5301-t0_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel ax7501-b1_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel ex5401-b1_firmware *
zyxel vmg3927-t50k_firmware *
zyxel dx3301-t0_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel ex3300-t0_firmware *
zyxel dx5401-b1_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel ax7501-b0_firmware *
zyxel ex5601-t0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2024-9200

A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel vmg4927-b50a_firmware *
zyxel vmg4005-b60a_firmware *
zyxel vmg3927-b50b_firmware *
zyxel emg6726-b10a_firmware *
zyxel vmg4005-b50b_firmware *
CVE-2024-9677

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zyxel uos *
CVE-2025-0890

**UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel vmg1312-b10a_firmware -
zyxel sbg3500-n000_firmware -
zyxel vmg3926-b10b_firmware -
zyxel vmg4325-b10a_firmware -
zyxel sbg3500-nb00_firmware -
zyxel vmg4380-b10a_firmware -
zyxel vmg8924-b10a_firmware -
zyxel vmg8324-b10a_firmware -
zyxel vmg3312-b10a_firmware -
zyxel vmg1312-b10e_firmware -
zyxel sbg3300-nb00_firmware -
zyxel vmg1312-b10b_firmware -
zyxel sbg3300-n000_firmware -
zyxel vmg3313-b10a_firmware -
CVE-2025-11845

A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel we3300-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel nebula_fwa510_firmware *
zyxel wx3100-t0_firmware *
zyxel nebula_lte3301-plus_firmware *
zyxel ex2210-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel nebula_fwa710_firmware *
zyxel ex5601-t1_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel pm5100-t1_firmware *
zyxel ee5301-00_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel nebula_fwa505_firmware *
zyxel ex3301-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel lte3301-plus_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel nebula_fwa515_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel pe5301-01_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
zyxel scr_50axe_firmware *
CVE-2025-11846

A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel we3300-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel nebula_fwa510_firmware *
zyxel wx3100-t0_firmware *
zyxel nebula_lte3301-plus_firmware *
zyxel ex2210-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel nebula_fwa710_firmware *
zyxel ex5601-t1_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel pm5100-t1_firmware *
zyxel ee5301-00_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel nebula_fwa505_firmware *
zyxel ex3301-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel lte3301-plus_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel nebula_fwa515_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel pe5301-01_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
zyxel scr_50axe_firmware *
CVE-2025-11847

A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel we3300-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel nebula_fwa510_firmware *
zyxel wx3100-t0_firmware *
zyxel nebula_lte3301-plus_firmware *
zyxel ex2210-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel nebula_fwa710_firmware *
zyxel ex5601-t1_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel pm5100-t1_firmware *
zyxel ee5301-00_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel nebula_fwa505_firmware *
zyxel ex3301-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel lte3301-plus_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel nebula_fwa515_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel pe5301-01_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
zyxel scr_50axe_firmware *
CVE-2025-11848

A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel we3300-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex2210-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5601-t1_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel pm5100-t1_firmware *
zyxel ee5301-00_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel ex3301-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel pe5301-01_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
zyxel scr_50axe_firmware *
CVE-2025-13942

A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel px3321-t1_firmware *
zyxel ex7710-b0_firmware *
zyxel emg6726-b10a_firmware *
zyxel ee6510-10_firmware *
zyxel nebula_nr7101_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3510-b1_firmware *
zyxel nebula_lte3301-plus_firmware *
zyxel ex2210-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel lte3301-plus_firmware *
zyxel vmg4927-b50a_firmware *
zyxel dx4510-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel nr7101_firmware *
zyxel ex5510-b0_firmware *
CVE-2025-13943

A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel we3300-00_firmware *
zyxel we4600-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel ex2210-t0_firmware *
zyxel am7510-00_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5601-t1_firmware *
zyxel ex3510-b0_firmware *
zyxel dx4510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel pm5100-t1_firmware *
zyxel ee5301-00_firmware *
zyxel dm4200-b0_firmware *
zyxel vmg4927-b50a_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel ex3301-t0_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel emg6726-b10a_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel pe5301-01_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2025-1731

An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zyxel uos *
CVE-2025-1732

An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
zyxel uos 1.31
CVE-2025-3577

**UNSUPPORTED WHEN ASSIGNED** A path traversal vulnerability in the web management interface of the Zyxel AMG1302-T10B firmware version 2.00(AAJC.16)C0 could allow an authenticated attacker with administrator privileges to access restricted directories by sending a crafted HTTP request to an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zyxel amg1302-t10b_firmware 2.00(aajc.16)c0
CVE-2025-6265

A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware version 7.10(ACGE.2) and earlier could allow an authenticated attacker with administrator privileges to access specific directories and delete files, such as the configuration file, on the affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel wax620d-6e_firmware *
zyxel nwa220ax-6e_firmware *
zyxel wax655e_firmware *
zyxel wbe530_firmware *
zyxel nwa110ax_firmware *
zyxel wax610d_firmware *
zyxel nwa130be_firmware *
zyxel wac5302d-sv2_firmware *
zyxel wax510d_firmware *
zyxel nwa90ax_pro_firmware *
zyxel nwa90ax_firmware *
zyxel wac500h_firmware *
zyxel wax640s-6e_firmware *
zyxel wbe660s_firmware *
zyxel nwa50ax_pro_firmware *
zyxel nwa55axe_firmware *
zyxel wac6103d-i_firmware *
zyxel wax650s_firmware *
zyxel nwa1123ac_pro_firmware *
zyxel nwa210ax_firmware *
zyxel nwa50ax_firmware *
zyxel wax630s_firmware *
zyxel wax300h_firmware *
CVE-2025-6599

An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks may temporarily block legitimate HTTP requests and partially disrupt access to the web management interface, while other networking services remain unaffected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx3401-b0_firmware *
zyxel we3300-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel nebula_fwa510_firmware *
zyxel wx3100-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel nebula_fwa710_firmware *
zyxel vmg3927-t50k_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel nr5103e_firmware *
zyxel nr7303_firmware *
zyxel nr5103_firmware *
zyxel ee5301-00_firmware *
zyxel dm4200-b0_firmware *
zyxel vmg4927-b50a_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel nr7302_firmware *
zyxel nebula_fwa505_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg4005-b50b_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel lte3301-plus_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel nebula_fwa515_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel emg6726-b10a_firmware *
zyxel ee6510-10_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel nr5309_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel vmg3927-b50b_firmware *
zyxel emg5723-t50k_firmware *
zyxel pe5301-01_firmware *
zyxel ax7501-b0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
zyxel scr_50axe_firmware *
CVE-2025-7673

A buffer overflow vulnerability in the URL parser of the zhttpd web server in Zyxel VMG8825-T50K firmware versions prior to V5.50(ABOM.5)C0 could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and potentially execute arbitrary code by sending a specially crafted HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zyxel xmg8825-b50a_firmware *
zyxel vmg8825-bx0b_firmware *
zyxel vmg3925-b10b_firmware *
zyxel vmg1312-t20b_firmware *
zyxel vmg4005-b50b_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel vmg8825-t50k_firmware *
zyxel emg5523-t50b_firmware *
zyxel vmg3927-t50k_firmware *
zyxel vmg8825-b50a_firmware *
zyxel emg6726-b10a_firmware *
zyxel ex3510-b0_firmware *
zyxel xmg3927-b50a_firmware *
zyxel vmg3925-b10c_firmware *
zyxel vmg4927-b50a_firmware *
zyxel vmg3927-b50a_firmware *
zyxel vmg8825-b60a_firmware *
zyxel vmg3927-b50b_firmware *
zyxel emg5723-t50k_firmware *
zyxel ex5510-b0_firmware *
zyxel vmg8924-b10d_firmware *
zyxel vmg3927-b60a_firmware *
zyxel emg3525-t50b_firmware *
CVE-2025-8078

A post-authentication command injection vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on the affected device by passing a crafted string as an argument to a CLI command.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel zld *
CVE-2025-8693

A post-authentication command injection vulnerability in the "priv" parameter of Zyxel DX3300-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an authenticated attacker to execute operating system (OS) commands on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zyxel vmg4005-b50a_firmware *
zyxel ex3500-t0_firmware *
zyxel px3321-t1_firmware *
zyxel wx3401-b0_firmware *
zyxel we3300-00_firmware *
zyxel dx3300-t0_firmware *
zyxel dx3300-t1_firmware *
zyxel wx3100-t0_firmware *
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel ex3300-t1_firmware *
zyxel dx4510-b1_firmware *
zyxel wx3401-b1_firmware *
zyxel vmg8825-t50k_firmware *
zyxel pm7500-00_firmware *
zyxel emg5523-t50b_firmware *
zyxel ex5501-b0_firmware *
zyxel vmg3927-t50k_firmware *
zyxel ex5601-t1_firmware *
zyxel dx5401-b0_firmware *
zyxel ex3510-b0_firmware *
zyxel ex3300-t0_firmware *
zyxel ee5301-00_firmware *
zyxel dm4200-b0_firmware *
zyxel ex5510-b0_firmware *
zyxel pm7300-t0_firmware *
zyxel ex5601-t0_firmware *
zyxel wx5600-t0_firmware *
zyxel ex7710-b0_firmware *
zyxel ex5401-b0_firmware *
zyxel vmg4005-b60a_firmware *
zyxel ex3301-t0_firmware *
zyxel vmg4005-b50b_firmware *
zyxel ex5512-t0_firmware *
zyxel px5301-t0_firmware *
zyxel pm3100-t0_firmware *
zyxel ax7501-b1_firmware *
zyxel ex5401-b1_firmware *
zyxel pm5100-t0_firmware *
zyxel dx3301-t0_firmware *
zyxel ee6510-10_firmware *
zyxel ex3510-b1_firmware *
zyxel pe3301-00_firmware *
zyxel ee3301-00_firmware *
zyxel dx5401-b1_firmware *
zyxel wx5610-b0_firmware *
zyxel ex3501-t0_firmware *
zyxel ex7501-b0_firmware *
zyxel gm4100-b0_firmware *
zyxel emg5723-t50k_firmware *
zyxel pe5301-01_firmware *
zyxel ax7501-b0_firmware *
zyxel emg3525-t50b_firmware *
zyxel ex3600-t0_firmware *
CVE-2025-9133

A missing authorization vulnerability in Zyxel ATP series firmware versions from V4.32 through V5.40, USG FLEX series firmware versions from V4.50 through V5.40, USG FLEX 50(W) series firmware versions from V4.16 through V5.40, and USG20(W)-VPN series firmware versions from V4.16 through V5.40 could allow a semi-authenticated attacker—who has completed only the first stage of the two-factor authentication (2FA) process—to view and download the system configuration from an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zyxel zld *
CVE-2026-1459

A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zyxel.com.tw 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
zyxel vmg3625-t50b_firmware *
zyxel vmg8623-t50b_firmware *
zyxel dx5401-b1_firmware *
zyxel vmg3625-t50c_firmware *
zyxel emg5523-t50b_firmware *
zyxel emg3525-t50b_firmware *