A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZyxel Atp100
HWZyxelwszystkie wersjeZyxel Atp100 Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Atp100w
HWZyxelwszystkie wersjeZyxel Atp100w Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Atp200
HWZyxelwszystkie wersjeZyxel Atp200 Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Atp500
HWZyxelwszystkie wersjeZyxel Atp500 Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Atp700
HWZyxelwszystkie wersjeZyxel Atp700 Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Atp800
HWZyxelwszystkie wersjeZyxel Atp800 Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Usg20w Vpn
HWZyxelwszystkie wersjeZyxel Usg20w Vpn Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Usg Flex 100w
HWZyxelwszystkie wersjeZyxel Usg Flex 100w Firmware
OSZyxel5.00 – 5.30 (bez)Zyxel Usg Flex 200
HWZyxelwszystkie wersjeZyxel Usg Flex 200 Firmware
OSZyxel5.00 – 5.30 (bez)Zyxel Usg Flex 500
HWZyxelwszystkie wersjeZyxel Usg Flex 500 Firmware
OSZyxel5.00 – 5.30Zyxel Usg Flex 50w
HWZyxelwszystkie wersjeZyxel Usg Flex 50w Firmware
OSZyxel5.10 – 5.30 (bez)Zyxel Usg Flex 700
HWZyxelwszystkie wersjeZyxel Usg Flex 700 Firmware
OSZyxel5.00 – 5.30 (bez)Zyxel Vpn100
HWZyxelwszystkie wersjeZyxel Vpn1000
HWZyxelwszystkie wersjeZyxel Vpn1000 Firmware
OSZyxel4.60 – 5.30 (bez)Zyxel Vpn100 Firmware
OSZyxel4.60 – 5.30 (bez)Zyxel Vpn300
HWZyxelwszystkie wersjeZyxel Vpn300 Firmware
OSZyxel4.60 – 5.30 (bez)
CISA KEV — detailsi
- Vendori
- Zyxel
- Producti
- Multiple Firewalls
- Added to KEVi
- May 16, 2022
- Remediation deadline (US Federal)i
- June 6, 2022(overdue)
Apply updates per vendor instructions.
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
Related vulnerabilities
A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 throug...
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 throu...
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series fir...
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable passw...
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...