CVE-2022-0342

critical-risk

Published 2022-03-28

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.

Do I need to act?

92.4% chance of exploitation in next 30 days

EPSS score — higher than 8% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Usg40 Firmware

Usg40W Firmware

Usg60 Firmware

Usg60W Firmware

Zywall 110 Firmware

Zywall 310 Firmware

Zywall 1100 Firmware

Usg Flex 100 Firmware

Usg Flex 200 Firmware

Usg Flex 500 Firmware

Usg Flex 100W Firmware

Usg Flex 700 Firmware

Atp100 Firmware

Atp100W Firmware

Atp200 Firmware

Atp500 Firmware

Atp700 Firmware

Atp800 Firmware

Vpn50 Firmware

Vpn100 Firmware

Affected Vendors

Zyxel

References (2)

Vendor Advisory https://www.zyxel.com/support/Zyxel-security-advisory-for-authentication-bypass-...

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 21/34 · High