Update now! Zyxel patches critical firewall bypass vulnerability

Update now! Zyxel patches critical firewall bypass vulnerability

In a security advisoryZyxel has urged customers to update because a security flaw can lead to the circumvention of firewall protection in several Zyxel products.

Zyxel is a Taiwanese producer of modems and other networking equipment and its products are sold in over 150 countries.

The vulnerability

Zyxel says the vulnerability, listed as CVE-2022-0342, is an authentication bypass vulnerability caused by the lack of a proper access control mechanism, which has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.

The Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

Affected series

Zyxel has published a list of vulnerable products that are within their warranty and support period, and has released updates to address the issue.

Affected seriesAffected firmware versionPatch availability
USG/ZyWALLZLD V4.20 through ZLD V4.70ZLD V4.71
USG FLEXZLD V4.50 through ZLD V5.20ZLD V5.21 Patch 1
ATPZLD V4.32 through ZLD V5.20ZLD V5.21 Patch 1
VPNZLD V4.30 through ZLD V5.20ZLD V5.21
NSGV1.20 through V1.33 Patch 4Hotfix V1.33p4_WK11* available now
Standard patch V1.33 Patch 5 in May 2022

From the security advisory it is unclear whether there are vulnerable products that are outside of the support period.

How to fix the Zyxel vulnerability

Administrators of the NSG V1.20 through V1.33 Patch 4 need to reach out to their local Zyxel support team for the file, or wait until May when standard patch V1.33 Patch 5 is scheduled to be released.

Owners of the other affected products can search for their updated firmware by model number on the Zyxel support download page. Please note that the patches should have a release date of 03/29/2022 or later.

For firewalls it is always a good idea to restrict the IP addresses that are permitted to access the management interface.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.