CVE-2021-35029

high-risk

Published 2021-07-02

An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.

Do I need to act?

0.20% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Usg1900 Firmware

Usg1100 Firmware

Usg310 Firmware

Usg210 Firmware

Usg110 Firmware

Usg40 Firmware

Usg40W Firmware

Usg60 Firmware

Usg60W Firmware

Usg300 Firmware

Usg1000 Firmware

Usg2000 Firmware

Usg20 Firmware

Usg20W Firmware

Usg50 Firmware

Usg100 Firmware

Usg200 Firmware

Usg Flex 100 Firmware

Usg Flex 200 Firmware

Usg Flex 500 Firmware

Affected Vendors

Zyxel

References (2)

Vendor Advisory https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_securi...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 24/34 · High