The network equipment maker Zyxel has patched several of its business-grade VPN and firewall products to prevent hackers from exploiting a security flaw that could give them admin-level access to vulnerable devices.
The critical-severity vulnerability, tracked as CVE-2022-0342, affects business VPN and firewall products from the company’s USG/Zy Wall, USG Flex, ATP VPN and NSG (Nebula Security Gateway) series.
While the National Institute of Standards and Technology (NIST) has yet to provide the vulnerability with a security rating, Zyxel has given it a score of 9.8 out of a maximum of 10.
In a recently released security advisory, the company provided further details on the nature of the authentication bypass vulnerability found in the firmware of several of its products, saying:
“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.”
Vulnerable firewall and VPN products
According to Zyxel, the critical-severity vulnerability is present in the firmware of its USG/ZyWALL series versions 4.20-4.70, USG FLEX series versions 4.50-5.20, APT series versions 4.32-5.20, VPN series versions 4.30-5.20 and NSG series versions V1.20-V.133 Patch 4.
For its NSG series products, the company has released a hotfix for now though it plans to roll out a standard patch next month.
The critical-severity vulnerability was discovered by Alessandro Sgreccia from Tecnical Service Srl and Roberto Garcia H and Victor Garcia R from Innotec Security.
While there are currently no public reports of this security flaw being exploited in the wild, Zyxel is advising its customers to install its latest firmware updates “for optimal protection”.
As Zyxel’s hardware devices are generally used in small to mid-sized environments to combine network access with security components that protect against malware, phishing and other malicious activity, organizations should update any affected hardware as soon as possible.