Missing Access Control in Zyxel UAG, USG, and ZyWall Devices
CVE-2019-12583

9.1CRITICAL

Key Information:

Vendor: Zyxel
Status: Uag2100 Firmware
Vendor: CVE Published:; 27 June 2019

Summary

A missing access control vulnerability in the Free Time feature of Zyxel UAG, USG, and ZyWall devices allows remote attackers to gain unauthorized access by generating guest accounts. This oversight can facilitate unauthorized network entry and potentially lead to Denial of Service attacks. The flaw stems from insufficient validation in the account generation mechanism, making it crucial for users to update their devices to mitigate the risk.

References

https://www.zyxel.com/support/vulnerabilities-related-to-...

x_refsource_CONFIRM

https://n-thumann.de/blog/zyxel-gateways-missing-access-c...

x_refsource_MISC

EPSS Score

59% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 27, 2019
Vulnerability Reserved
Jun 2, 2019