Article 5Z61A Zyxel silently patches command-injection vulnerability with 9.8 severity rating

Zyxel silently patches command-injection vulnerability with 9.8 severity rating

by
Dan Goodin
from Ars Technica - All content on (#5Z61A)
zyxel-atp.png

Enlarge (credit: Zyxel)

Hardware manufacturer Zyxel quietly released an update fixing a critical vulnerability that gives hackers the ability to control tens of thousands of firewall devices remotely.

The vulnerability, which allows remote command injection with no authentication required, carries a severity rating of 9.8 out of a possible 10. It's easy to exploit by sending simple HTTP or HTTPS requests to affected devices. The requests allow hackers to send commands or open a web shell interface that enables hackers to maintain privileged access over time.

High-value, easy to weaponize, requires no authentication

The vulnerability affects a line of firewalls that offer a feature known as zero-touch provisioning. Zyxel markets the devices for use in small branch and corporate headquarter deployments. The devices perform VPN connectivity, SSL inspection, web filtering, intrusion protection, and email security and provide up to 5Gbps throughput through the firewall. The Shodan device search service shows more than 16,000 affected devices are exposed to the Internet.

Read 8 remaining paragraphs | Comments

index?i=ij0I8pV1-jI:NxIMuWrW9i4:V_sGLiPB index?i=ij0I8pV1-jI:NxIMuWrW9i4:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments