Archive for ZyXEL

Significant Vulnerability In Zyxel CPE Series Devices Is Being Actively Exploited

Posted in Commentary with tags on January 30, 2025 by itnerd

Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that has remained unpatched since last July.

GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.

CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attemptsobserved command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).

Martin Jartelius, CISO at Outpost24 had this to say:

“This is a case where the CVE system has not been efficient. As vendors withhold publishing information and CVEs until they have a solution, organizations are unable to proactively take action and remove critically vulnerable devices.”

“The vulnerability was put in a reserved state in July 2024 and has since remained undisclosed by the vendor, meaning that currently it is also not indexed by sources such as NVD. Many organizations source their vulnerability information from NVD, and even though security researchers and the vendor are aware, customers remain uninformed.”

“If we turn to the vendor and review the available drivers, they have a range of release dates, some dating as old as 2016, others released in spring 2024.”

“It should be noted that the devices are not present on either of the vendors lists of End-Of-Life devices, and the lack of updates addressing the issue is very concerning. Zyxel already prior to this constitutes several of the vulnerabilities listed in the CISA KEVs list, and if the latest two are added, Zyxel will on their own constitute 1% of the total list of Known Exploited Vulnerabilities.”

To say that this isn’t good is an understatement. Hopefully Zyxel decides to address this issue ASAP as the fact that this is being actively exploited isn’t going to end well for anyone using the Zyxel devices. Nor will it end well for Zyxel.

Leave a comment »

Zyxel Warns Of Critical Vulnerabilities In Firewall And VPN Devices

Posted in Commentary with tags on May 27, 2023 by itnerd

Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products. Unpatched, a threat actor could leverage the vulnerability without authentication. Here are the vulnerabilities:

CVE-2023-33009

A buffer overflow vulnerability in the notification function in some firewall versions could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. 

CVE-2023-33010

A buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause DoS conditions and even a remote code execution on an affected device. 

Here’s a list of affected devices:

  • Zyxel ATP firmware versions ZLD V4.32 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel USG FLEX firmware versions ZLD V4.50 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel USG FLEX50(W) / USG20(W)-VPN firmware versions ZLD V4.25 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel VPN firmware versions ZLD V4.30 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
  • Zyxel ZyWALL/USG firmware versions ZLD V4.25 to V4.73 Patch 1 (fixed in ZLD V4.73 Patch 2)

Zyxel has released patches for their firewalls. I’d strongly suggest installing them ASAP.

Leave a comment »

ZyXEL Has Unpatched Flaws In Their Router Hardware

Posted in Commentary with tags on December 28, 2016 by itnerd

It seems Netgear isn’t alone in putting out insecure router hardware.

Security firm SecuriTeam published a report on four security flaws affecting three router models manufactured by ZyXEL.

The three router models and vulnerabilities are:

  •     Unauthenticated remote command execution vulnerability – P660HN-T v1 router
  •     Unauthenticated remote command execution vulnerability – Billion 5200W-T
  •     Authenticated remote command execution vulnerability – Billion 5200W-T
  •     Unauthenticated remote command execution vulnerability – P660HN-T v2

These flaws allow an attacker to take control of affected products by issuing maliciously-crafted HTTP requests. Furthermore, the routers also come with simplistic username and password combinations that are easy to guess. Proof of concept code has been released by SecuriTeam. Which means that hackers are working to come up with attack code that will be used to pwn anyone who has one of these routers.

Here’s the part that should really bother anyone who ones one of these ZyXEL routers:

We notified ZyXEL of the vulnerabilities back in July 2016, repeated attempts to re-establish contact and get some answer on the status of the patches for these vulnerabilities went unanswered. At this time there is no solution or workaround for these vulnerabilities.

That lack of response alone should make any owner of ZyXEL hardware think twice about owning their products. Seeing as these are unpatched flaws (though one suspects that with this bad press, fixes are on the way), your best deference is to stop using the affected products until a fix comes out. Or better yet, use a router from a company who doesn’t have to be shamed into fixing security issues.

Leave a comment »