CVE-2022-26532

🗓️ 24 May 2022 05:20:09Reported by ZyxelType

cve🔗 web.nvd.nist.gov📰️ 7 Media mentions👁 144 Views🌐 WEB

CVE-2022-26532 argument injection vulnerability in Zyxel USG/ZyWAL

Reporter	Title	Published	Views	Family All 11
ATTACKERKB	CVE-2022-26532	24 May 202206:15	–	attackerkb
Circl	CVE-2022-26532	7 Jun 202222:39	–	circl
CNNVD	Zyxel USG/ZyWALL 操作系统命令注入漏洞	24 May 202200:00	–	cnnvd
Cvelist	CVE-2022-26532	24 May 202205:20	–	cvelist
EUVD	EUVD-2022-31089	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in Zyxel products	25 May 202200:00	–	ncsc
NVD	CVE-2022-26532	24 May 202206:15	–	nvd
Packet Storm	Zyxel Buffer Overflow / Format String / Command Injection	19 Jun 202200:00	–	packetstorm
Prion	Design/Logic Flaw	24 May 202206:15	–	prion
RedhatCVE	CVE-2022-26532	5 Feb 202519:06	–	redhatcve

NVD

Node

zyxel vpn100_firmwareRange4.30–5.21

AND

zyxel vpn100Match-

Node

zyxel vpn1000_firmwareRange4.30–5.21

AND

zyxel vpn1000Match-

Node

zyxel vpn300_firmwareRange4.30–5.21

AND

zyxel vpn300Match-

Node

zyxel vpn50_firmwareRange4.30–5.21

AND

zyxel vpn50Match-

Node

zyxel atp100_firmwareRange4.32–5.21

AND

zyxel atp100Match-

Node

zyxel atp100w_firmwareRange4.32–5.21

AND

zyxel atp100wMatch-

Node

zyxel atp200_firmwareRange4.32–5.21

AND

zyxel atp200Match-

Node

zyxel atp500_firmwareRange4.32–5.21

AND

zyxel atp500Match-

Node

zyxel atp700_firmwareRange4.32–5.21

AND

zyxel atp700Match-

Node

zyxel atp800_firmwareRange4.32–5.21

AND

zyxel atp800Match-

Node

zyxel usg_110_firmwareRange4.09–4.71

AND

zyxel usg_110Match-

Node

zyxel usg_1100_firmwareRange4.09–4.71

AND

zyxel usg_1100Match-

Node

zyxel usg_1900_firmwareRange4.09–4.71

AND

zyxel usg_1900Match-

Node

zyxel usg_20w_firmwareRange4.09–4.71

AND

zyxel usg_20wMatch-

Node

zyxel usg_20w-vpn_firmwareRange4.09–4.71

AND

zyxel usg_20w-vpnMatch-

Node

zyxel usg_2200-vpn_firmwareRange4.09–4.71

AND

zyxel usg_2200-vpnMatch-

Node

zyxel usg_310_firmwareRange4.09–4.71

AND

zyxel usg_310Match-

Node

zyxel usg_40_firmwareRange4.09–4.71

AND

zyxel usg_40Match-

Node

zyxel usg_40w_firmwareRange4.09–4.71

AND

zyxel usg_40wMatch-

Node

zyxel usg_60_firmwareRange4.09–4.71

AND

zyxel usg_60Match-

Node

zyxel usg_60w_firmwareRange4.09–4.71

AND

zyxel usg_60wMatch-

Node

zyxel usg_flex_100_firmwareRange4.50–5.21

AND

zyxel usg_flex_100Match-

Node

zyxel usg_flex_100w_firmwareRange4.50–5.21

AND

zyxel usg_flex_100wMatch-

Node

zyxel usg_flex_200_firmwareRange4.50–5.21

AND

zyxel usg_flex_200Match-

Node

zyxel usg_flex_500_firmwareRange4.50–5.21

AND

zyxel usg_flex_500Match-

Node

zyxel usg_flex_700_firmwareRange4.50–5.21

AND

zyxel usg_flex_700Match-

Node

zyxel usg200_firmwareRange4.09–4.71

AND

zyxel usg200Match-

Node

zyxel usg20_firmwareRange4.09–4.71

AND

zyxel usg20Match-

Node

zyxel usg210_firmwareRange4.09–4.71

AND

zyxel usg210Match-

Node

zyxel usg2200_firmwareRange4.09–4.71

AND

zyxel usg2200Match-

Node

zyxel usg300_firmwareRange4.09–4.71

AND

zyxel usg300Match-

Node

zyxel usg310_firmwareRange4.09–4.71

AND

zyxel usg310Match-

Node

zyxel nsg300_firmwareRange1.00–1.33

zyxel nsg300_firmwareMatch1.33-

zyxel nsg300_firmwareMatch1.33patch1

zyxel nsg300_firmwareMatch1.33patch2

zyxel nsg300_firmwareMatch1.33patch3

zyxel nsg300_firmwareMatch1.33patch4

AND

zyxel nsg300Match-

Node

zyxel nsg100_firmwareRange1.00–1.33

zyxel nsg100_firmwareMatch1.33-

zyxel nsg100_firmwareMatch1.33patch1

zyxel nsg100_firmwareMatch1.33patch2

zyxel nsg100_firmwareMatch1.33patch3

zyxel nsg100_firmwareMatch1.33patch4

AND

zyxel nsg100Match-

Node

zyxel nsg50_firmwareRange1.00–1.33

zyxel nsg50_firmwareMatch1.33-

zyxel nsg50_firmwareMatch1.33patch1

zyxel nsg50_firmwareMatch1.33patch2

zyxel nsg50_firmwareMatch1.33patch3

zyxel nsg50_firmwareMatch1.33patch4

AND

zyxel nsg50Match-

Node

zyxel nxc2500_firmwareRange≤6.10(aaig.3)

AND

zyxel nxc2500Match-

Node

zyxel nxc5500_firmwareRange≤6.10(aaos.3)

AND

zyxel nxc5500Match-

Node

zyxel nap203_firmwareRange≤6.25(abfa.7)

AND

zyxel nap203Match-

Node

zyxel nap303_firmwareRange≤6.25(abex.7)

AND

zyxel nap303Match-

Node

zyxel nap353_firmwareRange≤6.25(abey.7)

AND

zyxel nap353Match-

Node

zyxel nwa50ax_firmwareRange≤6.25(abyw.5)

AND

zyxel nwa50axMatch-

Node

zyxel nwa55axe_firmwareRange≤6.25(abzl.5)

AND

zyxel nwa55axeMatch-

Node

zyxel nwa90ax_firmwareRange≤6.27(accv.2)

AND

zyxel nwa90axMatch-

Node

zyxel nwa110ax_firmwareRange≤6.30(abtg.2)

AND

zyxel nwa110axMatch-

Node

zyxel nwa210ax_firmwareRange≤6.30(abtd.2)

AND

zyxel nwa210axMatch-

Node

zyxel nwa1123-ac-hd_firmwareRange≤6.25(abin.6)

AND

zyxel nwa1123-ac-hdMatch-

Node

zyxel nwa1123-ac-pro_firmwareRange≤6.25(abhd.7)

AND

zyxel nwa1123-ac-proMatch-

Node

zyxel nwa1123acv3_firmwareRange≤6.30(abvt.2)

AND

zyxel nwa1123acv3Match-

Node

zyxel nwa1302-ac_firmwareRange≤6.25(abku.6)

AND

zyxel nwa1302-acMatch-

Node

zyxel nwa5123-ac-hd_firmwareRange≤6.25(abim.6)

AND

zyxel nwa5123-ac-hdMatch-

Node

zyxel wac500h_firmwareRange≤6.30(abwa.2)

AND

zyxel wac500hMatch-

Node

zyxel wac500_firmwareRange≤6.30(abvs.2)

AND

zyxel wac500Match-

Node

zyxel wac5302d-s_firmwareRange≤6.10(abfh.10)

AND

zyxel wac5302d-sMatch-

Node

zyxel wac5302d-sv2_firmwareRange≤6.25(abvz.6)

AND

zyxel wac5302d-sv2Match-

Node

zyxel wac6103d-i_firmwareRange≤6.25(aaxh.7)

AND

zyxel wac6103d-iMatch-

Node

zyxel wac6303d-s_firmwareRange≤6.25(abgl.6)

AND

zyxel wac6303d-sMatch-

Node

zyxel wac6502d-e_firmwareRange≤6.25(aasd.7)

AND

zyxel wac6502d-eMatch-

Node

zyxel wac6502d-s_firmwareRange≤6.25(aase.7)

AND

zyxel wac6502d-sMatch-

Node

zyxel wac6503d-s_firmwareRange≤6.25(aasf.7)

AND

zyxel wac6503d-sMatch-

Node

zyxel wac6553d-s_firmwareRange≤6.25(aasg.7)

AND

zyxel wac6553d-sMatch-

Node

zyxel wac6552d-s_firmwareRange≤6.25(abio.7)

AND

zyxel wac6552d-sMatch-

Node

zyxel wax510d_firmwareRange≤6.30(abtf.2)

AND

zyxel wax510dMatch-

Node

zyxel wax610d_firmwareRange≤6.30(abte.2)

AND

zyxel wax610dMatch-

Node

zyxel wax630s_firmwareRange≤6.30(abzd.2)

AND

zyxel wax630sMatch-

Node

zyxel wax650s_firmwareRange≤6.30(abrm.2)

AND

zyxel wax650sMatch-

[
  {
    "product": "USG/ZyWALL series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "4.09 through 4.71"
      }
    ]
  },
  {
    "product": "USG FLEX series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "4.50 through 5.21"
      }
    ]
  },
  {
    "product": "ATP series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "4.32 through 5.21"
      }
    ]
  },
  {
    "product": "VPN series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "4.30 through 5.21"
      }
    ]
  },
  {
    "product": "NSG series firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "1.00 through 1.33 Patch 4"
      }
    ]
  },
  {
    "product": "NXC2500 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "<= 6.10(AAIG.3)"
      }
    ]
  },
  {
    "product": "NAP203 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "<= 6.25(ABFA.7)"
      }
    ]
  },
  {
    "product": "NWA50AX firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "<= 6.25(ABYW.5)"
      }
    ]
  },
  {
    "product": "WAC500 firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "<= 6.30(ABVS.2)"
      }
    ]
  },
  {
    "product": "WAX510D firmware",
    "vendor": "Zyxel",
    "versions": [
      {
        "status": "affected",
        "version": "<= 6.30(ABTF.2)"
      }
    ]
  }
]

Source	Link
zyxel	www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
seclists	www.seclists.org/fulldisclosure/2022/Jun/15
packetstormsecurity	www.packetstormsecurity.com/files/167464/Zyxel-Buffer-Overflow-Format-String-Command-Injection.html

Parameter	Position	Path	Description	CWE
packet-trace	path	webconsole/	OS command injection vulnerability in the packet-trace CLI command exploitable via arguments (e.g., extension-filter) when accessed through Zyxel Web Console.	CWE-78, CWE-88
extension-filter	path	webconsole/	OS command injection vulnerability in the packet-trace CLI command exploitable via arguments (e.g., extension-filter) when accessed through Zyxel Web Console.	CWE-78, CWE-88