Lucene search

[email protected]CVE-2022-0910

HistoryMay 24, 2022 - 3:15 a.m.

CVE-2022-0910

2022-05-2403:15:00

CWE-287

[email protected]

web.nvd.nist.gov

cve-2022-0910

zyxel

usg

zywall

usg flex

atp

vpn

firmware

vulnerability

2fa

1fa

downgrade

authentication

bypass

ipsec

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

22.4%

JSON

A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

CPENameOperatorVersion
zyxel:vpn100_firmwarezyxel vpn100 firmwarele5.21
zyxel:vpn1000_firmwarezyxel vpn1000 firmwarele5.21
zyxel:vpn300_firmwarezyxel vpn300 firmwarele5.21
zyxel:vpn50_firmwarezyxel vpn50 firmwarele5.21
zyxel:atp100_firmwarezyxel atp100 firmwarele5.21
zyxel:atp100w_firmwarezyxel atp100w firmwarele5.21
zyxel:atp200_firmwarezyxel atp200 firmwarele5.21
zyxel:atp500_firmwarezyxel atp500 firmwarele5.21
zyxel:atp700_firmwarezyxel atp700 firmwarele5.21
zyxel:atp800_firmwarezyxel atp800 firmwarele5.21

CPE	Name	Operator	Version
zyxel:vpn100_firmware	zyxel vpn100 firmware	le	5.21
zyxel:vpn1000_firmware	zyxel vpn1000 firmware	le	5.21
zyxel:vpn300_firmware	zyxel vpn300 firmware	le	5.21
zyxel:vpn50_firmware	zyxel vpn50 firmware	le	5.21
zyxel:atp100_firmware	zyxel atp100 firmware	le	5.21
zyxel:atp100w_firmware	zyxel atp100w firmware	le	5.21
zyxel:atp200_firmware	zyxel atp200 firmware	le	5.21
zyxel:atp500_firmware	zyxel atp500 firmware	le	5.21
zyxel:atp700_firmware	zyxel atp700 firmware	le	5.21
zyxel:atp800_firmware	zyxel atp800 firmware	le	5.21

Rows per page:

1-10 of 321

References

www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml

Social References

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

22.4%

JSON

Related for CVE-2022-0910

cvelist1 prion1 thn1