CVE-2022-26532

Name of the Vulnerable Software and Affected Versions Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71 Zyxel USG FLEX series firmware versions 4.50 through 5.21 Zyxel ATP series firmware versions 4.32 through 5.21 Zyxel VPN series firmware versions 4.30 through 5.21 Zyxel NSG series firmware versions 1.00 through 1.33 Patch 4 Zyxel NXC2500 firmware version 6.10(AAIG.3) and earlier versions Zyxel NAP203 firmware version 6.25(ABFA.7) and earlier versions Zyxel NWA50AX firmware version 6.25(ABYW.5) and earlier versions Zyxel WAC500 firmware version 6.30(ABVS.2) and earlier versions Zyxel WAX510D firmware version 6.30(ABTF.2) and earlier versions

Description A local authenticated attacker could execute arbitrary OS commands by including crafted arguments to the 'packet-trace' CLI command due to an argument injection vulnerability. This vulnerability is related to the lack of measures to neutralize special elements used in the OS command.

Recommendations For Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series firmware versions 4.50 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel ATP series firmware versions 4.32 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel VPN series firmware versions 4.30 through 5.21, update to a version outside of this range to mitigate the risk. For Zyxel NSG series firmware versions 1.00 through 1.33 Patch 4, update to a version outside of this range to mitigate the risk. For Zyxel NXC2500 firmware version 6.10(AAIG.3) and earlier versions, update to a version later than 6.10(AAIG.3) to mitigate the risk. For Zyxel NAP203 firmware version 6.25(ABFA.7) and earlier versions, update to a version later than 6.25(ABFA.7) to mitigate the risk. For Zyxel NWA50AX firmware version 6.25(ABYW.5) and earlier versions, update to a version later than 6.25(ABYW.5) to mitigate the risk. For Zyxel WAC500 firmware version 6.30(ABVS.2) and earlier versions, update to a version later than 6.30(ABVS.2) to mitigate the risk. For Zyxel WAX510D firmware version 6.30(ABTF.2) and earlier versions, update to a version later than 6.30(ABTF.2) to mitigate the risk. As a temporary workaround, consider disabling the 'packet-trace' CLI command until a patch is available.