Alessandro Sgreccia

**Name of the Vulnerable Software and Affected Versions** USG FLEX H series uOS firmware version V1.31 and earlier **Description** An improper privilege management issue in the recovery function could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device. **Recommendations** For USG FLEX H series uOS firmware version V1.31 and earlier, consider disabling the recovery function until a patch is available to prevent potential privilege escalation. Restrict access to the device to minimize the risk of exploitation. Avoid using the recovery function with administrator privileges until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** USG FLEX H series uOS firmware versions from V1.20 through V1.31 **Description** An incorrect permission assignment vulnerability in the PostgreSQL commands could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid. **Recommendations** For USG FLEX H series uOS firmware versions from V1.20 through V1.31, consider disabling the PostgreSQL command processing as a temporary workaround until a patch is available. Restrict access to the Linux shell to minimize the risk of exploitation. Avoid using stolen tokens for administrator-level access until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zyxel WBE530 firmware versions through 7.00(ACLE.3) Zyxel WBE660S firmware versions through 6.70(ACGG.2) **Description** An improper privilege management vulnerability in the web management interface could allow an authenticated user with limited privileges to escalate their privileges to that of an administrator, enabling them to upload configuration files to a vulnerable device. **Recommendations** For Zyxel WBE530 firmware versions through 7.00(ACLE.3), update to a version that contains a fix for this issue. For Zyxel WBE660S firmware versions through 6.70(ACGG.2), update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the web management interface until a patch is available. Avoid using the vulnerable web management interface to upload configuration files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** USG FLEX H series uOS firmware versions V1.21 and earlier **Description** The issue allows an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. This attack could be successful only if the administrator has not logged out. **Recommendations** For USG FLEX H series uOS firmware versions V1.21 and earlier, update to a version later than V1.21 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions from V4.60 through V5.38 Zyxel USG FLEX series firmware versions from V4.60 through V5.38 **Description** A post-authentication command injection issue exists in the firmware of Zyxel ATP and USG FLEX series devices. This could allow an authenticated attacker with administrator privileges to execute certain operating system commands on an affected device by executing a crafted CLI command. The vulnerability arises due to the failure to neutralize special elements used in the operating system command. **Recommendations** For Zyxel ATP series firmware versions from V4.60 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG FLEX series firmware versions from V4.60 through V5.38, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the CLI command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel WBE660S versions 6.70(ACGG.3) and earlier **Description** The issue is related to improper privilege management, which could allow an authenticated user to escalate privileges and download configuration files on a vulnerable device. This is due to deficiencies in access control. **Recommendations** For versions 6.70(ACGG.3) and earlier, update to a version that addresses the improper privilege management issue to prevent privilege escalation and unauthorized configuration file downloads. As a temporary workaround, consider restricting access to configuration files and limiting user privileges until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel USG FLEX series firmware versions 4.50 through 5.37 Zyxel VPN series firmware versions 4.30 through 5.37 **Description** The issue is related to improper privilege management in the hotspot feature of the affected devices. This could allow an authenticated local attacker to access system files on an affected device, potentially leading to unauthorized access to protected information. **Recommendations** For Zyxel USG FLEX series firmware versions 4.50 through 5.37, update to a version outside of this range to resolve the issue. For Zyxel VPN series firmware versions 4.30 through 5.37, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the hotspot feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Zyxel USG FLEX series versions 4.50 through 5.37 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Zyxel VPN series versions 4.30 through 5.37 Zyxel NWA50AX version 6.29(ABYW.2) Zyxel WAC500 version 6.65(ABVS.1) Zyxel WAX300H version 6.60(ACHF.1) Zyxel WBE660S version 6.65(ACGG.1) **Description** The issue is related to improper privilege management in the debug CLI command of the affected Zyxel devices. This could allow an authenticated local attacker to access the administrator’s logs on an affected device. The vulnerability is associated with deficiencies in access control. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG FLEX series versions 4.50 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel VPN series versions 4.30 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel NWA50AX version 6.29(ABYW.2), update to a version that fixes the improper privilege management issue. For Zyxel WAC500 version 6.65(ABVS.1), update to a version that fixes the improper privilege management issue. For Zyxel WAX300H version 6.60(ACHF.1), update to a version that fixes the improper privilege management issue. For Zyxel WBE660S version 6.65(ACGG.1), update to a version that fixes the improper privilege management issue. As a temporary workaround, consider restricting access to the debug CLI command until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZyXEL USG FLEX series firmware versions 4.50 through 5.37 ZyXEL USG FLEX 50(W) series firmware versions 4.16 through 5.37 ZyXEL USG20(W)-VPN series firmware versions 4.16 through 5.37 ZyXEL VPN series firmware versions 4.30 through 5.37 ZyXEL ATP series firmware versions 4.32 through 5.37 **Description** The issue is related to improper privilege management in the ZySH of the affected devices, which could allow an authenticated local attacker to modify the URL of the registration page in the web GUI of an affected device. **Recommendations** For ZyXEL USG FLEX series firmware versions 4.50 through 5.37, update to a version outside of this range to resolve the issue. For ZyXEL USG FLEX 50(W) series firmware versions 4.16 through 5.37, update to a version outside of this range to resolve the issue. For ZyXEL USG20(W)-VPN series firmware versions 4.16 through 5.37, update to a version outside of this range to resolve the issue. For ZyXEL VPN series firmware versions 4.30 through 5.37, update to a version outside of this range to resolve the issue. For ZyXEL ATP series firmware versions 4.32 through 5.37, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series version 5.37 Zyxel USG FLEX series version 5.37 Zyxel USG FLEX 50(W) series version 5.37 Zyxel USG20(W)-VPN series version 5.37 **Description** A buffer overflow issue in the firmware could allow an authenticated local attacker with administrator privileges to cause denial-of-service conditions by executing a CLI command with crafted strings on an affected device. The exploitation of this issue may result in a denial-of-service condition. **Recommendations** For Zyxel ATP series version 5.37, update the firmware to a version that addresses the buffer overflow issue. For Zyxel USG FLEX series version 5.37, update the firmware to a version that addresses the buffer overflow issue. For Zyxel USG FLEX 50(W) series version 5.37, update the firmware to a version that addresses the buffer overflow issue. For Zyxel USG20(W)-VPN series version 5.37, update the firmware to a version that addresses the buffer overflow issue. As a temporary workaround, consider restricting the execution of CLI commands with crafted strings on affected devices until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Zyxel USG FLEX series versions 4.50 through 5.37 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Zyxel VPN series versions 4.30 through 5.37 Zyxel NWA50AX version 6.29(ABYW.2) Zyxel WAC500 version 6.65(ABVS.1) Zyxel WAX300H version 6.60(ACHF.1) Zyxel WBE660S version 6.65(ACGG.1) **Description** The issue is related to improper privilege management in the debug CLI command of the affected Zyxel devices. This could allow an authenticated local attacker to access system files on an affected device. The vulnerability is associated with deficiencies in access control. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG FLEX series versions 4.50 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel VPN series versions 4.30 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel NWA50AX version 6.29(ABYW.2), update to a version that fixes the improper privilege management issue. For Zyxel WAC500 version 6.65(ABVS.1), update to a version that fixes the improper privilege management issue. For Zyxel WAX300H version 6.60(ACHF.1), update to a version that fixes the improper privilege management issue. For Zyxel WBE660S version 6.65(ACGG.1), update to a version that fixes the improper privilege management issue. As a temporary workaround, consider restricting access to the debug CLI command until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Zyxel USG FLEX series versions 4.50 through 5.37 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Zyxel VPN series versions 4.30 through 5.37 **Description** A buffer overflow vulnerability could allow an authenticated local attacker to cause denial-of-service (DoS) conditions by executing the CLI command to dump system logs on an affected device. The vulnerability is related to a buffer overflow in the firmware of the affected devices. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37, update to a version that fixes the buffer overflow vulnerability. For Zyxel USG FLEX series versions 4.50 through 5.37, update to a version that fixes the buffer overflow vulnerability. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37, update to a version that fixes the buffer overflow vulnerability. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37, update to a version that fixes the buffer overflow vulnerability. For Zyxel VPN series versions 4.30 through 5.37, update to a version that fixes the buffer overflow vulnerability. As a temporary workaround, consider restricting access to the CLI command to dump system logs on affected devices until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.35 Zyxel USG FLEX series versions 4.50 through 5.35 Zyxel USG FLEX 50(W) versions 4.16 through 5.35 Zyxel USG20(W)-VPN versions 4.16 through 5.35 Zyxel VPN series versions 4.30 through 5.35 **Description** The issue is related to a post-authentication command injection vulnerability in the CLI command, which could allow an authenticated attacker to execute some OS commands remotely. This vulnerability is associated with the lack of protection measures for the web page structure, potentially enabling a remote attacker to execute arbitrary scripts on the vulnerable device. **Recommendations** For Zyxel ATP series versions 4.32 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX series versions 4.50 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX 50(W) versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG20(W)-VPN versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel VPN series versions 4.30 through 5.35, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the CLI command until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.35 Zyxel USG FLEX series versions 4.50 through 5.35 Zyxel USG FLEX 50(W) versions 4.16 through 5.35 Zyxel USG20(W)-VPN versions 4.16 through 5.35 Zyxel VPN series versions 4.30 through 5.35 **Description** The issue is related to a cross-site scripting (XSS) vulnerability that could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful attack could result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device. This is due to the lack of protection for the web page structure, which could enable a remote attacker to execute arbitrary scripts on the vulnerable device. **Recommendations** For Zyxel ATP series versions 4.32 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX series versions 4.50 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX 50(W) versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG20(W)-VPN versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel VPN series versions 4.30 through 5.35, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the Logs page of the GUI on the device until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZyXEL USG versions 4.30 through 4.72 ZyXEL ZyWALL versions 4.30 through 4.72 ZyXEL USG FLEX versions 4.50 through 5.31 ZyXEL VPN versions 4.30 through 5.31 ZyXEL ATP versions 4.32 through 5.31 **Description** A cross-site scripting (XSS) issue in the CGI program of ZyXEL devices is related to the lack of protection of the web page structure. This could allow a remote attacker to trick a user into visiting a crafted URL with the XSS payload, potentially gaining access to some browser-based information if the malicious script is executed on the victim’s browser. **Recommendations** For ZyXEL USG versions 4.30 through 4.72, update to a version outside of this range to mitigate the risk. For ZyXEL ZyWALL versions 4.30 through 4.72, update to a version outside of this range to mitigate the risk. For ZyXEL USG FLEX versions 4.50 through 5.31, update to a version outside of this range to mitigate the risk. For ZyXEL VPN versions 4.30 through 5.31, update to a version outside of this range to mitigate the risk. For ZyXEL ATP versions 4.32 through 5.31, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the CGI program until a patch is available.