Zyxel has issued a cybersecurity advisory alerting administrators about various vulnerabilities impacting a variety of firewall, access point, and access point controller products.
While the flaws are yet not ascribed a high severity rating, the potential damage they can cause is something to be taken seriously as these flaws could be exploited by malicious attackers as an aspect of exploit chains. Moreover, Zyxel goods are used by large enterprises, and any exploitable faults in them attract threat actors right away.
The most serious of the four flaws is a command injection problem in various CLI commands, which is classified as CVE-2022-26532 (CVSS v3.1 7.8):
- CVE-2022-0734: A cross-site scripting vulnerability has been discovered in the CGI, which could allow a malicious script to access information stored in the user's browser, such as cookies.
- CVE-2022-26531: A locally authenticated attacker might utilize a system crash by exploiting several erroneous input validation issues in various CLI commands of some firewall, AP controller, and AP versions.
- CVE-2022-26532: A command injection vulnerability in some firewall, AP controller, and AP versions' "packet-trace" CLI command might enable a local authorized attacker to execute arbitrary OS instructions by passing crafted parameters to the command.
- CVE-2022-0910: An attacker might use an IPsec VPN client to downgrade from two-factor authentication to one-factor authentication.
While Zyxel has released software updates for firewalls and access points, the only way to get a hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 is to contact the local Zyxel support teams.
The news comes as a major command injection hole in select Zyxel firewalls; CVE-2022-30525, CVSS score: 9.8) has been actively exploited, forcing the US Cybersecurity and Infrastructure Security Agency to add the vulnerability to its Recorded Exploited Vulnerabilities Database.
