Argument Injection Vulnerability in Zyxel USG/ZyWALL Series Firmware
CVE-2022-26532

7.8HIGH

Key Information:

Vendor

Zyxel
Status
Usg/zywall Series Firmware
Usg Flex Series Firmware
Atp Series Firmware
Vpn Series Firmware
Vendor
CVE Published:
24 May 2022

What is CVE-2022-26532?

A vulnerability exists within the 'packet-trace' CLI command in various Zyxel firmware versions, allowing a local authenticated attacker to inject crafted arguments that could potentially execute arbitrary operating system commands. This poses a significant security risk for network environments relying on affected Zyxel products, highlighting the need for timely updates and strong access controls.

Affected Version(s)

ATP series firmware 4.32 through 5.21

NAP203 firmware <= 6.25(ABFA.7)

NSG series firmware 1.00 through 1.33 Patch 4

References

https://www.zyxel.com/support/multiple-vulnerabilities-of...
x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2022/Jun/15
mailing-listx_refsource_FULLDISC
http://packetstormsecurity.com/files/167464/Zyxel-Buffer-...
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.