Zyxel has addressed four security flaws with patches affecting its firewall, AP Controller, and AP products to execute arbitrary operating system commands and steal select information.
The list of security vulnerabilities is as follows
CVE-2022-0734 – A cross-site scripting (XSS) vulnerability within some firewall versions that could be exploited to access information stored in the user’s browser, such as cookies or session tokens, via a malicious script.
CVE-2022-26531 – Several input validation flaws in the command-line interface (CLI) commands for some versions of firewall, AP controller, and AP devices could be exploited to cause a system crash.
CVE-2022-26532 – A command injection vulnerability in the “packet-trace” CLI command for some versions of firewall, AP controller, and AP devices that could lead to the execution of arbitrary OS commands.
CVE-2022-0910 – An authentication bypass vulnerability affecting select firewall versions that could permit an attacker to downgrade from two-factor authentication to one-factor authentication via an IPsec VPN client.
These software patches for firewalls and AP devices, and hotfix for AP controllers affected by CVE-2022-26531, and CVE-2022-26532 can be obtained only by contacting the respective local Zyxel support teams.
Earlier this month a serious flaw was identified in Zyxel firewall and customers were advised to apply the required patches to enhance protection.