CVE-2019-12581

high-risk

Published 2019-06-27

A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.

Do I need to act?

35.8% chance of exploitation in next 30 days

EPSS score — higher than 64% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (9)

Uag2100 Firmware

Uag4100 Firmware

Uag5100 Firmware

Usg110 Firmware

Usg210 Firmware

Usg310 Firmware

Usg1100 Firmware

Usg1900 Firmware

Usg2200-Vpn Firmware

Affected Vendors

Zyxel

References (8)

Exploit https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-gener...

Exploit https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxe...

Patch https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.s...

Vendor Advisory https://www.zyxel.com/us/en/

Exploit https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-gener...

Exploit https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxe...

Patch https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.s...

Vendor Advisory https://www.zyxel.com/us/en/

/ 100

high-risk

Severity 23/34 · High

Exploitability 16/34 · Moderate

Exposure 15/34 · Moderate