Zyxel finally patches dangerous VPN and Firewall flaws
Updated firmware is now rolling out to address a critical-security vulnerability
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
The network equipment makerZyxelhas patched several of its business-gradeVPNandfirewallproducts to prevent hackers from exploiting a security flaw that could give them admin-level access to vulnerable devices.
The critical-severity vulnerability, tracked as CVE-2022-0342, affects business VPN and firewall products from the company’s USG/Zy Wall, USG Flex, ATP VPN and NSG (Nebula Security Gateway) series.
While the National Institute of Standards and Technology (NIST) has yet to provide the vulnerability with a security rating, Zyxel has given it a score of 9.8 out of a maximum of 10.
In a recently releasedsecurity advisory, the company provided further details on the nature of theauthentication bypassvulnerability found in the firmware of several of its products, saying:
“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions. The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device.”
Vulnerable firewall and VPN products
According to Zyxel, the critical-severity vulnerability is present in the firmware of its USG/ZyWALL series versions 4.20-4.70, USG FLEX series versions 4.50-5.20, APT series versions 4.32-5.20, VPN series versions 4.30-5.20 and NSG series versions V1.20-V.133 Patch 4.
For its NSG series products, the company has released a hotfix for now though it plans to roll out a standard patch next month.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Business VPN usage likely to remain high even as the pandemic subsides>This company is giving away a free VPN to businesses and there’s no catches>How to build a free internet security suite using only standard Windows tools
The critical-severity vulnerability was discovered by Alessandro Sgreccia from Tecnical Service Srl and Roberto Garcia H and Victor Garcia R from Innotec Security.
While there are currently no public reports of this security flaw being exploited in the wild, Zyxel is advising its customers to install its latest firmware updates “for optimal protection”.
As Zyxel’s hardware devices are generally used in small to mid-sized environments to combine network access with security components that protect againstmalware,phishingand other malicious activity, organizations should update any affected hardware as soon as possible.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
Should your VPN always be on?
3 reasons why PIA fell in our best VPN rankings
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
