Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for usg1100_firmware by zyxel

    CVE-2021-35029 (GCVE-0-2021-35029)

    Vulnerability from nvd – Published: 2021-07-02 10:29 – Updated: 2024-08-04 00:33
    VLAI
    Summary
    An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:33:49.831Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "USG/Zywall series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 4.64"
                }
              ]
            },
            {
              "product": "USG FLEX series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 5.01"
                }
              ]
            },
            {
              "product": "ATP series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 5.01"
                }
              ]
            },
            {
              "product": "VPN series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 5.01"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-02T10:29:07.000Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@zyxel.com.tw",
              "ID": "CVE-2021-35029",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "USG/Zywall series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 4.64"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "USG FLEX series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 5.01"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ATP series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 5.01"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "VPN series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 5.01"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Zyxel"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.8",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml",
                  "refsource": "MISC",
                  "url": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2021-35029",
        "datePublished": "2021-07-02T10:29:07.000Z",
        "dateReserved": "2021-06-17T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:33:49.831Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-29583 (GCVE-0-2020-29583)

    Vulnerability from nvd – Published: 2020-12-22 00:00 – Updated: 2025-10-21 23:35
    VLAI CISA KEVIntel
    Summary
    Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.633Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/security_advisories.shtml"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/CVE-2020-29583.shtml"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-29583",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T22:11:59.767015Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2021-11-03",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-522",
                    "description": "CWE-522 Insufficiently Protected Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:35:31.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2021-11-03T00:00:00.000Z",
                "value": "CVE-2020-29583 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-28T00:43:07.540Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.zyxel.com/support/security_advisories.shtml"
            },
            {
              "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf"
            },
            {
              "url": "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15"
            },
            {
              "url": "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release"
            },
            {
              "url": "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"
            },
            {
              "url": "https://www.zyxel.com/support/CVE-2020-29583.shtml"
            },
            {
              "url": "https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-29583",
        "datePublished": "2020-12-22T00:00:00.000Z",
        "dateReserved": "2020-12-06T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:35:31.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-9054 (GCVE-0-2020-9054)

    Vulnerability from nvd – Published: 2020-03-04 19:30 – Updated: 2025-10-21 23:35
    VLAI CISA Shadowserver KEVIntel
    Title
    ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi
    Summary
    Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - OS Command Injection
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ZyXEL NAS326 Affected: V5.21(AAZF.7)C0 , ≤ V5.21(AAZF.7)C0 (custom)
    Create a notification for this product.
    ZyXEL NAS520 Affected: V5.21(AASZ.3)C0 , ≤ V5.21(AASZ.3)C0 (custom)
    Create a notification for this product.
    ZyXEL NAS540 Affected: V5.21(AATB.4)C0 , ≤ V5.21(AATB.4)C0 (custom)
    Create a notification for this product.
    ZyXEL NAS542 Affected: V5.21(ABAG.4)C0 , ≤ V5.21(ABAG.4)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA210 Affected: all
    Create a notification for this product.
    ZyXEL NSA220 Affected: all
    Create a notification for this product.
    ZyXEL NSA220+ Affected: all
    Create a notification for this product.
    ZyXEL NSA221 Affected: all
    Create a notification for this product.
    ZyXEL NSA310 Affected: V4.75(AALH.2)C0 , ≤ V4.75(AALH.2)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA320 Affected: all
    Create a notification for this product.
    ZyXEL NSA320S Affected: V4.75(AANV.2)C0 , ≤ V4.75(AANV.2)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA325 Affected: V4.81(AAAJ.1)C0 , ≤ V4.81(AAAJ.1)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA325v2 Affected: V4.81(AALS.1)C0 , ≤ V4.81(AALS.1)C0 (custom)
    Create a notification for this product.
    Date Public
    2020-02-20 00:00
    Credits
    Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:19:19.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cwe.mitre.org/data/definitions/78.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
              },
              {
                "name": "VU#498544",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/498544/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-9054",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T13:09:21.970154Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2022-03-25",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-78",
                    "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:35:50.221Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2022-03-25T00:00:00.000Z",
                "value": "CVE-2020-9054 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "NAS326",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(AAZF.7)C0",
                  "status": "affected",
                  "version": "V5.21(AAZF.7)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NAS520",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(AASZ.3)C0",
                  "status": "affected",
                  "version": "V5.21(AASZ.3)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NAS540",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(AATB.4)C0",
                  "status": "affected",
                  "version": "V5.21(AATB.4)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NAS542",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(ABAG.4)C0",
                  "status": "affected",
                  "version": "V5.21(ABAG.4)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA210",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA220",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA220+",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA221",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA310",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.75(AALH.2)C0",
                  "status": "affected",
                  "version": "V4.75(AALH.2)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA320",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA320S",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.75(AANV.2)C0",
                  "status": "affected",
                  "version": "V4.75(AANV.2)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA325",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.81(AAAJ.1)C0",
                  "status": "affected",
                  "version": "V4.81(AAAJ.1)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA325v2",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.81(AALS.1)C0",
                  "status": "affected",
                  "version": "V4.81(AALS.1)C0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability."
            }
          ],
          "datePublic": "2020-02-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2"
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "https://kb.cert.org/artifacts/cve-2020-9054.html"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 OS Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-04T19:30:18.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cwe.mitre.org/data/definitions/78.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
            },
            {
              "name": "VU#498544",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/498544/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi",
          "workarounds": [
            {
              "lang": "en",
              "value": "Block access to the ZyXEL device web interface:\n\nThis issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet.\n\nRestrict access to vulnerable ZyXEL devices:\n\nDirect exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2020-02-20T00:00:00.000Z",
              "ID": "CVE-2020-9054",
              "STATE": "PUBLIC",
              "TITLE": "ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "NAS326",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(AAZF.7)C0",
                                "version_value": "V5.21(AAZF.7)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NAS520",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(AASZ.3)C0",
                                "version_value": "V5.21(AASZ.3)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NAS540",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(AATB.4)C0",
                                "version_value": "V5.21(AATB.4)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NAS542",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(ABAG.4)C0",
                                "version_value": "V5.21(ABAG.4)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA210",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA220",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA220+",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA221",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA310",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.75(AALH.2)C0",
                                "version_value": "V4.75(AALH.2)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA320",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA320S",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.75(AANV.2)C0",
                                "version_value": "V4.75(AANV.2)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA325",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.81(AAAJ.1)C0",
                                "version_value": "V4.81(AAAJ.1)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA325v2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.81(AALS.1)C0",
                                "version_value": "V4.81(AALS.1)C0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ZyXEL"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2"
                }
              ]
            },
            "exploit": [
              {
                "lang": "en",
                "value": "https://kb.cert.org/artifacts/cve-2020-9054.html"
              }
            ],
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78 OS Command Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwe.mitre.org/data/definitions/78.html",
                  "refsource": "MISC",
                  "url": "https://cwe.mitre.org/data/definitions/78.html"
                },
                {
                  "name": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
                },
                {
                  "name": "VU#498544",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/498544/"
                },
                {
                  "name": "https://kb.cert.org/artifacts/cve-2020-9054.html",
                  "refsource": "MISC",
                  "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
                },
                {
                  "name": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/",
                  "refsource": "MISC",
                  "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Block access to the ZyXEL device web interface:\n\nThis issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet.\n\nRestrict access to vulnerable ZyXEL devices:\n\nDirect exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2020-9054",
        "datePublished": "2020-03-04T19:30:18.400Z",
        "dateReserved": "2020-02-18T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:35:50.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-12581 (GCVE-0-2019-12581)

    Vulnerability from nvd – Published: 2019-06-27 14:10 – Updated: 2024-08-04 23:24
    VLAI
    Summary
    A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:24:39.189Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/us/en/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-27T14:10:08.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zyxel.com/us/en/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-12581",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zyxel.com/us/en/",
                  "refsource": "MISC",
                  "url": "https://www.zyxel.com/us/en/"
                },
                {
                  "name": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
                },
                {
                  "name": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html",
                  "refsource": "MISC",
                  "url": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html"
                },
                {
                  "name": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/",
                  "refsource": "MISC",
                  "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-12581",
        "datePublished": "2019-06-27T14:10:08.000Z",
        "dateReserved": "2019-06-02T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:24:39.189Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-12583 (GCVE-0-2019-12583)

    Vulnerability from nvd – Published: 2019-06-27 14:01 – Updated: 2024-08-04 23:24
    VLAI
    Summary
    Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:24:39.316Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing Access Control in the \"Free Time\" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-27T14:01:02.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-12583",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Missing Access Control in the \"Free Time\" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
                },
                {
                  "name": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/",
                  "refsource": "MISC",
                  "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-12583",
        "datePublished": "2019-06-27T14:01:02.000Z",
        "dateReserved": "2019-06-02T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:24:39.316Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9955 (GCVE-0-2019-9955)

    Vulnerability from nvd – Published: 2019-04-22 19:38 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2019-04-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:08.670Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page"
              },
              {
                "name": "20190416 CVE-2019-9955 Refelected XSS on Zyxel Login page",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Apr/22"
              },
              {
                "name": "46706",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "https://www.exploit-db.com/exploits/46706/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-04-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized \u0027mp_idx\u0027 parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-22T19:38:59.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page"
            },
            {
              "name": "20190416 CVE-2019-9955 Refelected XSS on Zyxel Login page",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Apr/22"
            },
            {
              "name": "46706",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "https://www.exploit-db.com/exploits/46706/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-9955",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized \u0027mp_idx\u0027 parameter."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page",
                  "refsource": "MISC",
                  "url": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page"
                },
                {
                  "name": "20190416 CVE-2019-9955 Refelected XSS on Zyxel Login page",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Apr/22"
                },
                {
                  "name": "46706",
                  "refsource": "EXPLOIT-DB",
                  "url": "https://www.exploit-db.com/exploits/46706/"
                },
                {
                  "name": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html"
                },
                {
                  "name": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-9955",
        "datePublished": "2019-04-22T19:38:59.000Z",
        "dateReserved": "2019-03-23T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:08.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-35029 (GCVE-0-2021-35029)

    Vulnerability from cvelistv5 – Published: 2021-07-02 10:29 – Updated: 2024-08-04 00:33
    VLAI
    Summary
    An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:33:49.831Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "USG/Zywall series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 4.64"
                }
              ]
            },
            {
              "product": "USG FLEX series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 5.01"
                }
              ]
            },
            {
              "product": "ATP series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 5.01"
                }
              ]
            },
            {
              "product": "VPN series Firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.35 through 5.01"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-02T10:29:07.000Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@zyxel.com.tw",
              "ID": "CVE-2021-35029",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "USG/Zywall series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 4.64"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "USG FLEX series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 5.01"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "ATP series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 5.01"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "VPN series Firmware",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.35 through 5.01"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Zyxel"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "9.8",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml",
                  "refsource": "MISC",
                  "url": "https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2021-35029",
        "datePublished": "2021-07-02T10:29:07.000Z",
        "dateReserved": "2021-06-17T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:33:49.831Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-29583 (GCVE-0-2020-29583)

    Vulnerability from cvelistv5 – Published: 2020-12-22 00:00 – Updated: 2025-10-21 23:35
    VLAI CISA KEVIntel
    Summary
    Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
    SSVC
    Exploitation: active Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:55:10.633Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/security_advisories.shtml"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/CVE-2020-29583.shtml"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-29583",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-10T22:11:59.767015Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2021-11-03",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-522",
                    "description": "CWE-522 Insufficiently Protected Credentials",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:35:31.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2021-11-03T00:00:00.000Z",
                "value": "CVE-2020-29583 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-28T00:43:07.540Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://www.zyxel.com/support/security_advisories.shtml"
            },
            {
              "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf"
            },
            {
              "url": "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15"
            },
            {
              "url": "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release"
            },
            {
              "url": "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"
            },
            {
              "url": "https://www.zyxel.com/support/CVE-2020-29583.shtml"
            },
            {
              "url": "https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-29583",
        "datePublished": "2020-12-22T00:00:00.000Z",
        "dateReserved": "2020-12-06T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:35:31.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-9054 (GCVE-0-2020-9054)

    Vulnerability from cvelistv5 – Published: 2020-03-04 19:30 – Updated: 2025-10-21 23:35
    VLAI CISA Shadowserver KEVIntel
    Title
    ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi
    Summary
    Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2
    SSVC
    Exploitation: active Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - OS Command Injection
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ZyXEL NAS326 Affected: V5.21(AAZF.7)C0 , ≤ V5.21(AAZF.7)C0 (custom)
    Create a notification for this product.
    ZyXEL NAS520 Affected: V5.21(AASZ.3)C0 , ≤ V5.21(AASZ.3)C0 (custom)
    Create a notification for this product.
    ZyXEL NAS540 Affected: V5.21(AATB.4)C0 , ≤ V5.21(AATB.4)C0 (custom)
    Create a notification for this product.
    ZyXEL NAS542 Affected: V5.21(ABAG.4)C0 , ≤ V5.21(ABAG.4)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA210 Affected: all
    Create a notification for this product.
    ZyXEL NSA220 Affected: all
    Create a notification for this product.
    ZyXEL NSA220+ Affected: all
    Create a notification for this product.
    ZyXEL NSA221 Affected: all
    Create a notification for this product.
    ZyXEL NSA310 Affected: V4.75(AALH.2)C0 , ≤ V4.75(AALH.2)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA320 Affected: all
    Create a notification for this product.
    ZyXEL NSA320S Affected: V4.75(AANV.2)C0 , ≤ V4.75(AANV.2)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA325 Affected: V4.81(AAAJ.1)C0 , ≤ V4.81(AAAJ.1)C0 (custom)
    Create a notification for this product.
    ZyXEL NSA325v2 Affected: V4.81(AALS.1)C0 , ≤ V4.81(AALS.1)C0 (custom)
    Create a notification for this product.
    Date Public
    2020-02-20 00:00
    Credits
    Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T10:19:19.559Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://cwe.mitre.org/data/definitions/78.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
              },
              {
                "name": "VU#498544",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_CERT-VN",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/vuls/id/498544/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-9054",
                    "options": [
                      {
                        "Exploitation": "active"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-07T13:09:21.970154Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              },
              {
                "other": {
                  "content": {
                    "dateAdded": "2022-03-25",
                    "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054"
                  },
                  "type": "kev"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-78",
                    "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-21T23:35:50.221Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "government-resource"
                ],
                "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9054"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2022-03-25T00:00:00.000Z",
                "value": "CVE-2020-9054 added to CISA KEV"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "NAS326",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(AAZF.7)C0",
                  "status": "affected",
                  "version": "V5.21(AAZF.7)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NAS520",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(AASZ.3)C0",
                  "status": "affected",
                  "version": "V5.21(AASZ.3)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NAS540",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(AATB.4)C0",
                  "status": "affected",
                  "version": "V5.21(AATB.4)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NAS542",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V5.21(ABAG.4)C0",
                  "status": "affected",
                  "version": "V5.21(ABAG.4)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA210",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA220",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA220+",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA221",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA310",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.75(AALH.2)C0",
                  "status": "affected",
                  "version": "V4.75(AALH.2)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA320",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            },
            {
              "product": "NSA320S",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.75(AANV.2)C0",
                  "status": "affected",
                  "version": "V4.75(AANV.2)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA325",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.81(AAAJ.1)C0",
                  "status": "affected",
                  "version": "V4.81(AAAJ.1)C0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "NSA325v2",
              "vendor": "ZyXEL",
              "versions": [
                {
                  "lessThanOrEqual": "V4.81(AALS.1)C0",
                  "status": "affected",
                  "version": "V4.81(AALS.1)C0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability."
            }
          ],
          "datePublic": "2020-02-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2"
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "https://kb.cert.org/artifacts/cve-2020-9054.html"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 OS Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-03-04T19:30:18.000Z",
            "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
            "shortName": "certcc"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://cwe.mitre.org/data/definitions/78.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
            },
            {
              "name": "VU#498544",
              "tags": [
                "third-party-advisory",
                "x_refsource_CERT-VN"
              ],
              "url": "https://kb.cert.org/vuls/id/498544/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi",
          "workarounds": [
            {
              "lang": "en",
              "value": "Block access to the ZyXEL device web interface:\n\nThis issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet.\n\nRestrict access to vulnerable ZyXEL devices:\n\nDirect exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cert@cert.org",
              "DATE_PUBLIC": "2020-02-20T00:00:00.000Z",
              "ID": "CVE-2020-9054",
              "STATE": "PUBLIC",
              "TITLE": "ZyXEL NAS products running firmware version 5.21 and earlier are vulnerable to pre-authentication command injection in weblogin.cgi"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "NAS326",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(AAZF.7)C0",
                                "version_value": "V5.21(AAZF.7)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NAS520",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(AASZ.3)C0",
                                "version_value": "V5.21(AASZ.3)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NAS540",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(AATB.4)C0",
                                "version_value": "V5.21(AATB.4)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NAS542",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V5.21(ABAG.4)C0",
                                "version_value": "V5.21(ABAG.4)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA210",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA220",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA220+",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA221",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA310",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.75(AALH.2)C0",
                                "version_value": "V4.75(AALH.2)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA320",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_value": "all"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA320S",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.75(AANV.2)C0",
                                "version_value": "V4.75(AANV.2)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA325",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.81(AAAJ.1)C0",
                                "version_value": "V4.81(AAAJ.1)C0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "NSA325v2",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "V4.81(AALS.1)C0",
                                "version_value": "V4.81(AALS.1)C0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "ZyXEL"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Thanks to Alex Holden of Hold Security for finding and reporting this vulnerability."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2"
                }
              ]
            },
            "exploit": [
              {
                "lang": "en",
                "value": "https://kb.cert.org/artifacts/cve-2020-9054.html"
              }
            ],
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78 OS Command Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://cwe.mitre.org/data/definitions/78.html",
                  "refsource": "MISC",
                  "url": "https://cwe.mitre.org/data/definitions/78.html"
                },
                {
                  "name": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
                },
                {
                  "name": "VU#498544",
                  "refsource": "CERT-VN",
                  "url": "https://kb.cert.org/vuls/id/498544/"
                },
                {
                  "name": "https://kb.cert.org/artifacts/cve-2020-9054.html",
                  "refsource": "MISC",
                  "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
                },
                {
                  "name": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/",
                  "refsource": "MISC",
                  "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            },
            "work_around": [
              {
                "lang": "en",
                "value": "Block access to the ZyXEL device web interface:\n\nThis issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet.\n\nRestrict access to vulnerable ZyXEL devices:\n\nDirect exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page."
              }
            ]
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "assignerShortName": "certcc",
        "cveId": "CVE-2020-9054",
        "datePublished": "2020-03-04T19:30:18.400Z",
        "dateReserved": "2020-02-18T00:00:00.000Z",
        "dateUpdated": "2025-10-21T23:35:50.221Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-12581 (GCVE-0-2019-12581)

    Vulnerability from cvelistv5 – Published: 2019-06-27 14:10 – Updated: 2024-08-04 23:24
    VLAI
    Summary
    A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:24:39.189Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/us/en/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-27T14:10:08.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.zyxel.com/us/en/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-12581",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A reflective Cross-site scripting (XSS) vulnerability in the free_time_failed.cgi CGI program in selected Zyxel ZyWall, USG, and UAG devices allows remote attackers to inject arbitrary web script or HTML via the err_msg parameter."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zyxel.com/us/en/",
                  "refsource": "MISC",
                  "url": "https://www.zyxel.com/us/en/"
                },
                {
                  "name": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
                },
                {
                  "name": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html",
                  "refsource": "MISC",
                  "url": "https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html"
                },
                {
                  "name": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/",
                  "refsource": "MISC",
                  "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-12581",
        "datePublished": "2019-06-27T14:10:08.000Z",
        "dateReserved": "2019-06-02T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:24:39.189Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-12583 (GCVE-0-2019-12583)

    Vulnerability from cvelistv5 – Published: 2019-06-27 14:01 – Updated: 2024-08-04 23:24
    VLAI
    Summary
    Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T23:24:39.316Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Missing Access Control in the \"Free Time\" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-06-27T14:01:02.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-12583",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Missing Access Control in the \"Free Time\" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
                },
                {
                  "name": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/",
                  "refsource": "MISC",
                  "url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-12583",
        "datePublished": "2019-06-27T14:01:02.000Z",
        "dateReserved": "2019-06-02T00:00:00.000Z",
        "dateUpdated": "2024-08-04T23:24:39.316Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-9955 (GCVE-0-2019-9955)

    Vulnerability from cvelistv5 – Published: 2019-04-22 19:38 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2019-04-15 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:08.670Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page"
              },
              {
                "name": "20190416 CVE-2019-9955 Refelected XSS on Zyxel Login page",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2019/Apr/22"
              },
              {
                "name": "46706",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "https://www.exploit-db.com/exploits/46706/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2019-04-15T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized \u0027mp_idx\u0027 parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-04-22T19:38:59.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page"
            },
            {
              "name": "20190416 CVE-2019-9955 Refelected XSS on Zyxel Login page",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2019/Apr/22"
            },
            {
              "name": "46706",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "https://www.exploit-db.com/exploits/46706/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2019-9955",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized \u0027mp_idx\u0027 parameter."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page",
                  "refsource": "MISC",
                  "url": "https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page"
                },
                {
                  "name": "20190416 CVE-2019-9955 Refelected XSS on Zyxel Login page",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2019/Apr/22"
                },
                {
                  "name": "46706",
                  "refsource": "EXPLOIT-DB",
                  "url": "https://www.exploit-db.com/exploits/46706/"
                },
                {
                  "name": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/152525/Zyxel-ZyWall-Cross-Site-Scripting.html"
                },
                {
                  "name": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml",
                  "refsource": "CONFIRM",
                  "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2019-9955",
        "datePublished": "2019-04-22T19:38:59.000Z",
        "dateReserved": "2019-03-23T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:08.670Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }