Lucene search

[email protected]CVE-2022-26531

HistoryMay 24, 2022 - 6:15 a.m.

CVE-2022-26531

2022-05-2406:15:09

CWE-20

[email protected]

web.nvd.nist.gov

cve-2022-26531

zyxel

usg

zywall

atp

vpn

nsg

nxc2500

nap203

nwa50ax

wac500

wax510d

buffer overflow

system crash

cli commands

firmware vulnerability

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload.

Affected configurations

NVD

Node

zyxelvpn100Match-

AND

zyxelvpn100_firmwareRange4.30–5.21

Node

zyxelvpn1000Match-

AND

zyxelvpn1000_firmwareRange4.30–5.21

Node

zyxelvpn300Match-

AND

zyxelvpn300_firmwareRange4.30–5.21

Node

zyxelvpn50Match-

AND

zyxelvpn50_firmwareRange4.30–5.21

Node

zyxelatp100Match-

AND

zyxelatp100_firmwareRange4.32–5.21

Node

zyxelatp100wMatch-

AND

zyxelatp100w_firmwareRange4.32–5.21

Node

zyxelatp200Match-

AND

zyxelatp200_firmwareRange4.32–5.21

Node

zyxelatp500Match-

AND

zyxelatp500_firmwareRange4.32–5.21

Node

zyxelatp700_firmwareRange4.32–5.21

AND

zyxelatp700Match-

Node

zyxelatp800_firmwareRange4.32–5.21

AND

zyxelatp800Match-

Node

zyxelusg_110_firmwareRange4.09–4.71

AND

zyxelusg_110Match-

Node

zyxelusg_1100_firmwareRange4.09–4.71

AND

zyxelusg_1100Match-

Node

zyxelusg_1900_firmwareRange4.09–4.71

AND

zyxelusg_1900Match-

Node

zyxelusg_20w_firmwareRange4.09–4.71

AND

zyxelusg_20wMatch-

Node

zyxelusg_20w-vpn_firmwareRange4.09–4.71

AND

zyxelusg_20w-vpnMatch-

Node

zyxelusg_2200-vpn_firmwareRange4.09–4.71

AND

zyxelusg_2200-vpnMatch-

Node

zyxelusg_310_firmwareRange4.09–4.71

AND

zyxelusg_310Match-

Node

zyxelusg_40_firmwareRange4.09–4.71

AND

zyxelusg_40Match-

Node

zyxelusg_40w_firmwareRange4.09–4.71

AND

zyxelusg_40wMatch-

Node

zyxelusg_60_firmwareRange4.09–4.71

AND

zyxelusg_60Match-

Node

zyxelusg_60w_firmwareRange4.09–4.71

AND

zyxelusg_60wMatch-

Node

zyxelusg_flex_100_firmwareRange4.50–5.21

AND

zyxelusg_flex_100Match-

Node

zyxelusg_flex_100w_firmwareRange4.50–5.21

AND

zyxelusg_flex_100wMatch-

Node

zyxelusg_flex_200_firmwareRange4.50–5.21

AND

zyxelusg_flex_200Match-

Node

zyxelusg_flex_500_firmwareRange4.50–5.21

AND

zyxelusg_flex_500Match-

Node

zyxelusg_flex_700_firmwareRange4.50–5.21

AND

zyxelusg_flex_700Match-

Node

zyxelusg200_firmwareRange4.09–4.71

AND

zyxelusg200Match-

Node

zyxelusg20_firmwareRange4.09–4.71

AND

zyxelusg20Match-

Node

zyxelusg210_firmwareRange4.09–4.71

AND

zyxelusg210Match-

Node

zyxelusg2200_firmwareRange4.09–4.71

AND

zyxelusg2200Match-

Node

zyxelusg300_firmwareRange4.09–4.71

AND

zyxelusg300Match-

Node

zyxelusg310_firmwareRange4.09–4.71

AND

zyxelusg310Match-

Node

zyxelnsg300_firmwareRange1.00–1.33

zyxelnsg300_firmwareMatch1.33-

zyxelnsg300_firmwareMatch1.33patch1

zyxelnsg300_firmwareMatch1.33patch2

zyxelnsg300_firmwareMatch1.33patch3

zyxelnsg300_firmwareMatch1.33patch4

AND

zyxelnsg300Match-

Node

zyxelnsg100_firmwareRange1.00–1.33

zyxelnsg100_firmwareMatch1.33-

zyxelnsg100_firmwareMatch1.33patch1

zyxelnsg100_firmwareMatch1.33patch2

zyxelnsg100_firmwareMatch1.33patch3

zyxelnsg100_firmwareMatch1.33patch4

AND

zyxelnsg100Match-

Node

zyxelnsg50_firmwareRange1.00–1.33

zyxelnsg50_firmwareMatch1.33-

zyxelnsg50_firmwareMatch1.33patch1

zyxelnsg50_firmwareMatch1.33patch2

zyxelnsg50_firmwareMatch1.33patch3

zyxelnsg50_firmwareMatch1.33patch4

AND

zyxelnsg50Match-

Node

zyxelnxc2500_firmwareRange≤6.10\(aaig.3\)

AND

zyxelnxc2500Match-

Node

zyxelnxc5500_firmwareRange≤6.10\(aaos.3\)

AND

zyxelnxc5500Match-

Node

zyxelnap203_firmwareRange≤6.25\(abfa.7\)

AND

zyxelnap203Match-

Node

zyxelnap303_firmwareRange≤6.25\(abex.7\)

AND

zyxelnap303Match-

Node

zyxelnap353_firmwareRange≤6.25\(abey.7\)

AND

zyxelnap353Match-

Node

zyxelnwa50ax_firmwareRange≤6.25\(abyw.5\)

AND

zyxelnwa50axMatch-

Node

zyxelnwa55axe_firmwareRange≤6.25\(abzl.5\)

AND

zyxelnwa55axeMatch-

Node

zyxelnwa90ax_firmwareRange≤6.27\(accv.2\)

AND

zyxelnwa90axMatch-

Node

zyxelnwa110ax_firmwareRange≤6.30\(abtg.2\)

AND

zyxelnwa110axMatch-

Node

zyxelnwa210ax_firmwareRange≤6.30\(abtd.2\)

AND

zyxelnwa210axMatch-

Node

zyxelnwa1123-ac-hd_firmwareRange≤6.25\(abin.6\)

AND

zyxelnwa1123-ac-hdMatch-

Node

zyxelnwa1123-ac-pro_firmwareRange≤6.25\(abhd.7\)

AND

zyxelnwa1123-ac-proMatch-

Node

zyxelnwa1123acv3_firmwareRange≤6.30\(abvt.2\)

AND

zyxelnwa1123acv3Match-

Node

zyxelnwa1302-ac_firmwareRange≤6.25\(abku.6\)

AND

zyxelnwa1302-acMatch-

Node

zyxelnwa5123-ac-hd_firmwareRange≤6.25\(abim.6\)

AND

zyxelnwa5123-ac-hdMatch-

Node

zyxelwac500h_firmwareRange≤6.30\(abwa.2\)

AND

zyxelwac500hMatch-

Node

zyxelwac500_firmwareRange≤6.30\(abvs.2\)

AND

zyxelwac500Match-

Node

zyxelwac5302d-s_firmwareRange≤6.10\(abfh.10\)

AND

zyxelwac5302d-sMatch-

Node

zyxelwac5302d-sv2_firmwareRange≤6.25\(abvz.6\)

AND

zyxelwac5302d-sv2Match-

Node

zyxelwac6103d-i_firmwareRange≤6.25\(aaxh.7\)

AND

zyxelwac6103d-iMatch-

Node

zyxelwac6303d-s_firmwareRange≤6.25\(abgl.6\)

AND

zyxelwac6303d-sMatch-

Node

zyxelwac6502d-e_firmwareRange≤6.25\(aasd.7\)

AND

zyxelwac6502d-eMatch-

Node

zyxelwac6502d-s_firmwareRange≤6.25\(aase.7\)

AND

zyxelwac6502d-sMatch-

Node

zyxelwac6503d-s_firmwareRange≤6.25\(aasf.7\)

AND

zyxelwac6503d-sMatch-

Node

zyxelwac6553d-s_firmwareRange≤6.25\(aasg.7\)

AND

zyxelwac6553d-sMatch-

Node

zyxelwac6552d-s_firmwareRange≤6.25\(abio.7\)

AND

zyxelwac6552d-sMatch-

Node

zyxelwax510d_firmwareRange≤6.30\(abtf.2\)

AND

zyxelwax510dMatch-

Node

zyxelwax610d_firmwareRange≤6.30\(abte.2\)

AND

zyxelwax610dMatch-

Node

zyxelwax630s_firmwareRange≤6.30\(abzd.2\)

AND

zyxelwax630sMatch-

Node

zyxelwax650s_firmwareRange≤6.30\(abrm.2\)

AND

zyxelwax650sMatch-

CPENameOperatorVersion
zyxel:vpn100_firmwarezyxel vpn100 firmwarele5.21

CPE	Name	Operator	Version
zyxel:vpn100_firmware	zyxel vpn100 firmware	le	5.21

CNA Affected

[
  {
    "vendor": "Zyxel",
    "product": "USG/ZyWALL series firmware",
    "versions": [
      {
        "version": "4.09 through 4.71",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "USG FLEX series firmware",
    "versions": [
      {
        "version": "4.50 through 5.21",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "ATP series firmware",
    "versions": [
      {
        "version": "4.32 through 5.21",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "VPN series firmware",
    "versions": [
      {
        "version": "4.30 through 5.21",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "NSG series firmware",
    "versions": [
      {
        "version": "1.00 through 1.33 Patch 4",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "NXC2500 firmware",
    "versions": [
      {
        "version": "<= 6.10(AAIG.3)",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "NAP203 firmware",
    "versions": [
      {
        "version": "<= 6.25(ABFA.7)",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "NWA50AX firmware",
    "versions": [
      {
        "version": "<= 6.25(ABYW.5)",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "WAC500 firmware",
    "versions": [
      {
        "version": "<= 6.30(ABVS.2)",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Zyxel",
    "product": "WAX510D firmware",
    "versions": [
      {
        "version": "<= 6.30(ABTF.2)",
        "status": "affected"
      }
    ]
  }
]

References

packetstormsecurity.com/files/167464/Zyxel-Buffer-Overflow-Format-String-Command-Injection.html

packetstormsecurity.com/files/177036/Zyxel-zysh-Format-String-Proof-Of-Concept.html

seclists.org/fulldisclosure/2022/Jun/15

www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml

Social References

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.2%

JSON

Related for CVE-2022-26531

prion1 zdt1 exploitdb1 cvelist1 packetstorm2 nvd1 thn1