Improper Input Validation Vulnerabilities in Zyxel Firewall Products
CVE-2022-26531

6.1MEDIUM

Key Information:

Vendor: Zyxel
Status: Usg/zywall Series Firmware; Usg Flex Series Firmware; Atp Series Firmware; Vpn Series Firmware
Vendor: CVE Published:; 24 May 2022

What is CVE-2022-26531?

Multiple improper input validation flaws in Zyxel's CLI commands for various firewall and network security products could allow authenticated local attackers to execute malicious payloads. Exploitation may lead to severe consequences such as buffer overflow, potentially resulting in a system crash, which compromises the integrity and availability of the affected systems. The vulnerability spans across several firmware versions, necessitating immediate attention from users and administrators to mitigate risks.

Affected Version(s)

ATP series firmware 4.32 through 5.21

NAP203 firmware <= 6.25(ABFA.7)

NSG series firmware 1.00 through 1.33 Patch 4

References

https://www.zyxel.com/support/multiple-vulnerabilities-of...

http://seclists.org/fulldisclosure/2022/Jun/15

mailing-list

http://packetstormsecurity.com/files/167464/Zyxel-Buffer-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2022
Vulnerability Reserved
Mar 7, 2022