CVE-2022-2030

Name of the Vulnerable Software and Affected Versions Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30 Zyxel USG FLEX 200 firmware versions 4.50 through 5.30 Zyxel USG FLEX 500 firmware versions 4.50 through 5.30 Zyxel USG FLEX 700 firmware versions 4.50 through 5.30 Zyxel USG FLEX 50(W) firmware versions 4.16 through 5.30 Zyxel USG20(W)-VPN firmware versions 4.16 through 5.30 Zyxel ATP series firmware versions 4.32 through 5.30 Zyxel VPN series firmware versions 4.30 through 5.30 Zyxel USG/ZyWALL series firmware versions 4.11 through 4.72

Description A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel devices. This could allow an authenticated attacker to access some restricted files on a vulnerable device. The vulnerability exists due to incorrect limitation of the path name to a directory with restricted access. Exploitation of the vulnerability may allow a remote attacker to disclose protected information.

Recommendations For Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel USG FLEX 200 firmware versions 4.50 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel USG FLEX 500 firmware versions 4.50 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel USG FLEX 700 firmware versions 4.50 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel USG FLEX 50(W) firmware versions 4.16 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel USG20(W)-VPN firmware versions 4.16 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel ATP series firmware versions 4.32 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel VPN series firmware versions 4.30 through 5.30, update to a version outside of this range to resolve the issue. For Zyxel USG/ZyWALL series firmware versions 4.11 through 4.72, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable CGI programs until a patch is available.