CVE-2022-0910

Name of the Vulnerable Software and Affected Versions ZyXEL USG/ZyWALL series firmware versions 4.32 through 4.71 ZyXEL USG FLEX series firmware versions 4.50 through 5.21 ZyXEL ATP series firmware versions 4.32 through 5.21 ZyXEL VPN series firmware versions 4.32 through 5.21

Description The vulnerability is related to a downgrade from two-factor authentication to one-factor authentication in the CGI program of ZyXEL's network device software. This could allow an authenticated attacker to bypass the second authentication phase and connect to the IPsec VPN server, even if two-factor authentication (2FA) is enabled. The issue is associated with weaknesses in the authentication procedure.

Recommendations For ZyXEL USG/ZyWALL series firmware versions 4.32 through 4.71, update to a version outside of this range to mitigate the risk. For ZyXEL USG FLEX series firmware versions 4.50 through 5.21, update to a version outside of this range to mitigate the risk. For ZyXEL ATP series firmware versions 4.32 through 5.21, update to a version outside of this range to mitigate the risk. For ZyXEL VPN series firmware versions 4.32 through 5.21, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider disabling the two-factor authentication bypass functionality until a patch is available. Restrict access to the IPsec VPN server to minimize the risk of exploitation. Avoid using the vulnerable CGI program in the affected firmware versions until the issue is resolved.