Zyxel 漏洞列表

On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access. app="ZyXEL-NBG2105"

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. FOFA: app="ZyXEL-USG-FLEX"

An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

Zyxel VMG1312-B10D 5.13AAXA.8 is susceptible to local file inclusion. A remote unauthenticated attacker can send a specially crafted URL request containing "dot dot" sequences (/../), conduct directory traversal attacks, and view arbitrary files.

Zyxel ZyWall, USG, and UAG devices allow remote attackers to inject arbitrary web script or HTML via the err_msg parameter free_time_failed.cgi CGI program, aka reflective cross-site scripting.

Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator via the "Free Time" component. This can lead to unauthorized network access or DoS attacks.

Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, and ZyWALL 1100 devices contain a reflected cross-site scripting vulnerability on the security firewall login page via the mp_idx parameter.

A hardcoded credential vulnerability was identified in the 'zyfwp' user account in some Zyxel firewalls and AP controllers. The account was designed to deliver automatic firmware updates to connected access points through FTP.

Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyyxel devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 Zyyxel has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2.

Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.

ZyXEL ZyWALL 2 Plus Internet Security Appliance contains a cross-site scripting vulnerability. Insecure URI handling leads to bypass of security restrictions, which allows an attacker to execute arbitrary JavaScript codes to perform multiple attacks.

An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device.

An OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, are susceptible to a command injection vulnerability which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.

The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

众勤通信设备贸易（上海）有限公司ZyXEL-EMG3425-Q10A存在弱口令漏洞，攻击者可以利用该漏洞获取管理员权限进而控制整个系统。

Zyxel NAS设备是Zyxel公司生产的一种网络附加存储（Network AttachedStorage，NAS）设备。NAS设备是一种专门的文件存储设备，能够通过网络与多个用户或设备共享文件。Zyxel NAS326 设备中的存在未授权开启的NsaRescueAngel 账号，攻击者可以来利用该账号获取服务器root权限，进而控制整个设备。

Zyxel NAS326存在命令注入漏洞，此漏洞是由于setCookie未充分验证用户输入的数据所导致的。

Zyxel NAS326中存在命令注入漏洞，此漏洞是由于未充分验证用户输入的url数据所导致的。

Zyxel NAS326中存在命令注入漏洞，此漏洞是由于未充分验证用户输入的url数据所导致的。

Zyxel NAS542和Zyxel NAS326都是中国合勤（Zyxel）公司的产品。Zyxel NAS542是一款NAS（网络附加存储）设备。Zyxel NAS326是一款云存储 NAS。Zyxel NAS326 V5.21(AAZF.17)C0之前版本、NAS542 V5.21(ABAG.14)C0之前版本存在操作系统命令注入漏洞，该漏洞源于setCookie参数中存在命令注入漏洞，从而导致攻击者可通过HTTP POST请求来执行某些操作系统 (OS) 命令。

Zyxel NAS设备是Zyxel公司生产的一种网络附加存储（Network AttachedStorage，NAS）设备。NAS设备是一种专门的文件存储设备，能够通过网络与多个用户或设备共享文件。Zyxel NAS326 和 NAS542设备中的setCookie参数中存在命令注入漏洞，可能导致未经身份验证的威胁者发送恶意设计的 HTTP POST 请求执行某些系统命令。

Zyxel NAS fileuploadcgi 未授权 文件上传限制不当 可致远程代码执行

Zyxel USG/ZyWALL系列固件版本4.20至4.70、USGFLEX系列固件版本4.50至5.20、ATP系列固件版本4.32至5.20，VPN系列固件版本4.3至5.20以及NSG系列固件版本V1.20至V1.33Patch 4的CGI程序中存在身份验证绕过漏洞，攻击者可以绕过web身份验证并获得设备的管理访问权限。

Zyxel NAS326存在命令注入漏洞，该漏洞是由于cmd接口对用户的请求验证不当导致的。

ZyXEL ZyWALL 2 Plus存在跨站脚本漏洞，此漏洞是缺乏校验导致的。

ZYXELVMG1312-B10D是一款由ZyXEL公司生产的网络设备，它是一款DSL路由器。该设备支持多种DSL技术，如ADSL、ADSL2+和VDSL等，并具有高速数据传输速率。此外，它还提供了一系列网络管理和安全功能，如防火墙、VPN和无线接入等。该路由器易受未经身份验证的本地包含（包括/etc/shadow等特权文件）的攻击。攻击者可以使用此端点读取系统上的所有文件。

ZyXEL routers 是ZyXEL公司的多款路由器产品。 多款ZyXEL路由器 /Export_Log 存在任意文件读取漏洞，攻击者可获取用户密码等敏感信息。

ZyXEL routers 是ZyXEL公司的多款路由器产品。多款ZyXEL路由器 /Export_Log 存在任意文件读取漏洞，攻击者可获取用户密码等敏感信息。

Zyxel ZyWall、USG和UAG设备允许远程攻击者通过err_msg参数free_time_failed.cgicgi程序（也称为反射式跨站点脚本）注入任意web脚本或HTML。

该漏洞存在于某些Zyxel防火墙版本的 CGI 程序中，允许在未经身份验证的情况下在受影响设备上以nobody用户身份执行任意命令。。

Zyxel VMG1312-B10D 5.13AAXA.8版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问任意目录。

ZyXEL Armor X1 WAP6806是中国台湾合勤（ZyXEL）公司的一款无线网卡产品。 ZyXEL Armor X1 WAP68061.00(ABAL.6)C0版本中存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。

NBG2105是ZyXel的无线迷你旅行路由器位于http：//router-IP/js/util_gw.js上的路由器的Javascript公开了函数checkCookie（），该函数显示cookie“登录”。最初，此cookie的值为“ 0”，但是成功登录后，cookie设置为“ 1”。 通过将Cookie的“login”设置为“1”，可以在没有登录凭据的情况下滥用此权限来访问路由器管理页面。 login_ok.htm帮助实现将标志位"login"设置为1

合勤科技是国际知名品牌的网络宽带系统及解决方案的供应商，多年来，合勤在多家国际知名媒体的企业评选中屡获殊荣；而网络设备也经常被专业知名杂志推荐为“首选产品”。历年来，在技术与产品的研发创新中，多次获得世界第一美誉。zyxel的防火墙，AP控制器产品中存在一处漏洞，漏洞允许使用用户名：zyfwp，密码：PrOw!aN_fXp以admin权限登录受影响的设备。该账户内置在设备固件中，无法从控制面板查看、删除和修改密码，该账户本意是通过ftp自动对设备下发固件升级，但因错误配置导致可以用该账户以管理员权限登录设备。

多款ZyXEL产品中存在操作系统命令注入漏洞。远程攻击者可借助特制的HTTPPOST或GET请求利用该漏洞执行任意代码。以下产品及版本受到影响：使用V5.21(AAZF.7)C0之前版本固件的NAS326；使用V5.21(AASZ.3)C0之前版本固件的NAS520；使用V5.21(AATB.4)C0之前版本固件的NAS540；使用V5.21(ABAG.4)C0之前版本固件的NAS542；ZyXELNSA210；ZyXEL NSA220；ZyXEL NSA220+；ZyXEL NSA221；ZyXEL NSA310；ZyXEL NSA310S；ZyXELNSA320；ZyXEL NSA320S；ZyXEL NSA325；ZyXEL NSA325v2。

【漏洞对象】zyxel路由器 【漏洞描述】 zyxel路由器存在默认口令，可利用默认口令登录设备，进行配置的查看和修改。

【漏洞对象】ZyXEL 【涉及版本】ZyAIR_B500 【漏洞描述】 未登录情况下可下载配置文件,通过router pass可解密出登陆密码

【漏洞对象】ZyXEL-NBG 【涉及版本】416N-Router 【漏洞描述】ZyXEL-NBG-416N-Router默认密码登录，攻击者可利用默认密码登录路由器后台，可查看网络设置，安全策略，访问管理等信息，并可做增删改查等恶意操作。

【漏洞对象】Eir/Zyxel D1000 【涉及版本】 Eir/Zyxel D1000 【漏洞描述】 EirD1000调制解调器未正确限制TR-064协议，该协议允许远程攻击者通过TCP端口7547执行任意命令，如通过打开对TCP端口80的WAN访问，获取登录密码（默认为Wi-Fi）所展示的密码），并使用NewNTPServer功能。

某些Zyxel防火墙和AP控制器中存在一个硬编码的后门账号，账号密码为zyfwp/PrOw!aN_fXp或存在弱口令账号，使用该帐号旨在通过FTP向连接的访问点提供自动固件更新。在具体的利用场景中可以通过该漏洞来植入后门程序，建议使用该产品的用户尽快升级漏洞修复的版本。