CVSS: 6.8EPSS: 0%CPEs: 50EXPL: 0CVE-2022-2030
https://notcve.org/view.php?id=CVE-2022-2030
19 Jul 2022 — A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN ... • https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 50EXPL: 3CVE-2022-30526 – Zyxel Firewall SUID Binary Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-30526
19 Jul 2022 — A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware vers... • https://packetstorm.news/files/id/168202 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 145EXPL: 1CVE-2022-26532 – Zyxel Buffer Overflow / Format String / Command Injection
https://notcve.org/view.php?id=CVE-2022-26532
24 May 2022 — A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versi... • https://packetstorm.news/files/id/167464 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 6.5EPSS: 0%CPEs: 64EXPL: 0CVE-2022-0910
https://notcve.org/view.php?id=CVE-2022-0910
24 May 2022 — A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled. Se ha detect... • https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 64EXPL: 0CVE-2022-0734
https://notcve.org/view.php?id=CVE-2022-0734
24 May 2022 — A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script. Se identificó una vulnerabilidad de tipo cross-site scripting en el programa CG... • https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 145EXPL: 2CVE-2022-26531 – Zyxel zysh Format String Proof of Concept
https://notcve.org/view.php?id=CVE-2022-26531
24 May 2022 — Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earl... • https://packetstorm.news/files/id/177036 • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 97%CPEs: 32EXPL: 22CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-30525
12 May 2022 — A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 thro... • https://packetstorm.news/files/id/167372 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 9%CPEs: 48EXPL: 0CVE-2022-0342
https://notcve.org/view.php?id=CVE-2022-0342
28 Mar 2022 — An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. Una vulnerabilidad de omisión de autenticación en el programa CGI de... • https://www.zyxel.com/support/Zyxel-security-advisory-for-authentication-bypass-vulnerability-of-firewalls.shtml • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 74EXPL: 0CVE-2021-35029
https://notcve.org/view.php?id=CVE-2021-35029
02 Jul 2021 — An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device. Una vulnerabilidad de omisión de la autenticación en la interfaz de administración basada en web de Zyxel USG/Zywall series versiones de firmware 4.35 hasta 4.64 y USG Flex, ATP, y VPN versiones de firmware 4.35... • https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml • CWE-287: Improper Authentication •