Improper input validation in Zyxel Atp Series Firmware
CVE-2022-26531
Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5…
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.010 (77.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H.
Affected products
- Zyxel Atp Series Firmware — versions 4.32 through 5.21
- Zyxel Nap203 Firmware — versions <= 6.25(ABFA.7)
- Zyxel Nsg Series Firmware — versions 1.00 through 1.33 Patch 4
- Zyxel Nwa50ax Firmware — versions <= 6.25(ABYW.5)
- Zyxel Nxc2500 Firmware — versions <= 6.10(AAIG.3)
- Zyxel Usg Flex Series Firmware — versions 4.50 through 5.21
- Zyxel Usg/zywall Series Firmware — versions 4.09 through 4.71
- Zyxel Vpn Series Firmware — versions 4.30 through 5.21
- Zyxel Wac500 Firmware — versions <= 6.30(ABVS.2)
- Zyxel Wax510d Firmware — versions <= 6.30(ABTF.2)
Weakness classification (CWE)
Public proof-of-concept exploits
References
- www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-…
- 20220610 HNS-2022-02 - HN Security Advisory - Multiple vulnerabilities in Zyxel zysh (mailing-list)
- packetstormsecurity.com/files/167464/Zyxel-Buffer-Overflow-Format-String-Comman…
- packetstormsecurity.com/files/177036/Zyxel-zysh-Format-String-Proof-Of-Concept…
Frequently asked questions
- What is CVE-2022-26531?
- CVE-2022-26531 is a medium-severity vulnerability in Zyxel Atp Series Firmware, classified under Improper Input Validation. CVSS score: 6.1/10. Published 2022-05-24.
- How severe is CVE-2022-26531?
- Medium severity. CVSS v3 base score is 6.1 out of 10.
- Is CVE-2022-26531 known to be exploited?
- 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.