Zyxel has rolled out patches for four security flaws plaguing its firewall, AP Controller, and AP products. The flaw can be exploited to carry out arbitrary system commands and steal select information.
- CVE-2022-0734: Some firewalls have cross-site scripting (XSS) flaws that can be exploited to access information stored in the user’s browser like cookies or session tokens, via malicious script.
- CVE-2022-26531: Some firewalls are bedevilled by several input validation flaws in the command-line interface (CLI) commands. These flaws affect AP controllers and AP devices and can be exploited to crash a system.
- CVE-2022-26532: A command injection vulnerability in the “packet-trace” CLI command for some versions of firewall, AP controller, and AP devices can result in the execution of arbitrary OS commands.
- CVE-2022-0910 – An authentication bypass vulnerability affecting select firewall versions that could permit an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.
Zyxel released software patches for firewalls and AP devices, but for AP controllers affected by CVE-2022-26531 and CVE-2022-26532, the flaw can be fixed by contacting the respective local Zyxel support teams.
The development comes as a critical command injection flaw in select versions of Zyxel firewalls (CVE-2022-30525, CVSS score: 9.8) has come under active exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency to add the bug to its Known Exploited Vulnerabilities Catalog.