Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-12583

CWE-4254 documents4 sources
Severity
9.1CRITICAL
EPSS
59.1%
top 1.77%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
14
Zyxel Uag2100 FirmwareZyxel Uag4100 FirmwareZyxel Uag5100 Firmware+11 more
Timeline
PublishedJun 27
Latest updateMay 24

Description

Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages14 packages

NVDzyxel/zywall_110_firmware4.33\(aaaa.0\)c0
NVDzyxel/zywall_310_firmware4.33\(aaab.0\)c0
NVDzyxel/zywall_1100_firmware4.33\(aaac.0\)c0
NVDzyxel/zywall_vpn100_firmware10.02\(abfv.0\)c0
NVDzyxel/zywall_vpn300_firmware10.02\(abfc.0\)c0

Patches

Patch: www.zyxel.comPatch: www.zyxel.com

🔴Vulnerability Details

2
GHSA
GHSA-cq6f-phq5-pc66: Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts2022-05-24
CVEList
CVE-2019-12583: Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts2019-06-27

💥Exploits & PoCs

1
Nuclei
Zyxel ZyWall UAG/USG - Account Creation Access
CVE-2019-12583 (CRITICAL CVSS 9.1) | Missing Access Control in the "Free | cvebase.io