CVE-2019-12583

high-risk

Published 2019-06-27

Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

Do I need to act?

59.1% chance of exploitation in next 30 days

EPSS score — higher than 41% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (14)

Uag2100 Firmware

Uag4100 Firmware

Uag5100 Firmware

Usg110 Firmware

Usg210 Firmware

Usg310 Firmware

Usg1100 Firmware

Usg1900 Firmware

Usg2200-Vpn Firmware

Zywall Vpn100 Firmware

Zywall Vpn300 Firmware

Zywall 110 Firmware

Zywall 310 Firmware

Zywall 1100 Firmware

Affected Vendors

Zyxel

References (4)

Exploit https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-gener...

Patch https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.s...

Exploit https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-gener...

Patch https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.s...

/ 100

high-risk

Severity 31/34 · Critical

Exploitability 18/34 · Moderate

Exposure 18/34 · Moderate