Zyxel Vpn Series Firmware vulnerabilities
37 known vulnerabilities affecting zyxel/vpn_series_firmware.
Total CVEs
37
CISA KEV
4
actively exploited
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL6HIGH17MEDIUM14
Vulnerabilities
Page 2 of 2
CVE-2023-22915HIGHCVSS 7.5v4.30 through 5.352023-04-24
CVE-2023-22915 [HIGH] CWE-120 CVE-2023-22915: A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of Zyxel USG FLEX series fir
A buffer overflow vulnerability in the “fbwifi_forward.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.30 through 5.35, USG20(W)-VPN firmware versions 4.30 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote unauthenticated attacker to cause DoS
cvelistv5nvd
CVE-2023-22916HIGHCVSS 8.1v5.00 through 5.352023-04-24
CVE-2023-22916 [HIGH] CWE-20 CVE-2023-22916: The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series fi
The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series firmware versions 5.00 through 5.35, USG FLEX 50(W) firmware versions 5.10 through 5.35, USG20(W)-VPN firmware versions 5.10 through 5.35, and VPN series firmware versions 5.00 through 5.35, which fails to properly sanitize user input. A remote unauthentic
cvelistv5nvd
CVE-2023-27991HIGHCVSS 8.8v4.30 through 5.352023-04-24
CVE-2023-27991 [HIGH] CWE-78 CVE-2023-27991: The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmw
The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could all
cvelistv5nvd
CVE-2023-22913HIGHCVSS 8.1v4.30 through 5.352023-04-24
CVE-2023-22913 [HIGH] CWE-77 CVE-2023-22913: A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of Z
A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an aff
cvelistv5nvd
CVE-2023-22918MEDIUMCVSS 6.5v4.30 through 5.352023-04-24
CVE-2023-22918 [MEDIUM] CWE-359 CVE-2023-22918: A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firm
A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmwa
cvelistv5nvd
CVE-2023-27990MEDIUMCVSS 4.8v4.30 through 5.352023-04-24
CVE-2023-27990 [MEDIUM] CWE-79 CVE-2023-27990: The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35
The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker
cvelistv5nvd
CVE-2022-38547HIGHCVSS 7.2v4.30 through 5.322023-02-07
CVE-2022-38547 [HIGH] CWE-78 CVE-2022-38547: A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series
A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator pr
cvelistv5nvd
CVE-2022-40603MEDIUMCVSS 6.1v4.30 through 5.312022-12-06
CVE-2022-40603 [MEDIUM] CWE-79 CVE-2022-40603: A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware ve
A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL
cvelistv5nvd
CVE-2022-30526HIGHCVSS 7.8PoCv4.30 through 5.302022-07-19
CVE-2022-30526 [HIGH] CWE-269 CVE-2022-30526: A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firm
A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmw
cvelistv5nvd
CVE-2022-2030MEDIUMCVSS 6.5v4.30 through 5.302022-07-19
CVE-2022-2030 [MEDIUM] CWE-22 CVE-2022-2030: A directory traversal vulnerability caused by specific character sequences within an improperly sani
A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.
cvelistv5nvd
CVE-2022-26531HIGHCVSS 7.8PoCv4.30 through 5.212022-05-24
CVE-2022-26531 [HIGH] CWE-20 CVE-2022-26531: Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL se
Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500
cvelistv5nvd
CVE-2022-26532HIGHCVSS 7.8v4.30 through 5.212022-05-24
CVE-2022-26532 [HIGH] CWE-88 CVE-2022-26532: A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firm
A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware
cvelistv5nvd
CVE-2022-0910MEDIUMCVSS 6.5v4.32 through 5.212022-05-24
CVE-2022-0910 [MEDIUM] CWE-287 CVE-2022-0910: A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI pro
A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticat
cvelistv5nvd
CVE-2022-0734MEDIUMCVSS 6.1v4.35 through 5.202022-05-24
CVE-2022-0734 [MEDIUM] CWE-79 CVE-2022-0734: A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series fi
A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in
cvelistv5nvd
CVE-2022-30525CRITICALCVSS 9.8KEVPoCv4.60 through 5.21 Patch 12022-05-12
CVE-2022-30525 [CRITICAL] CWE-78 CVE-2022-30525: A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21
cvelistv5nvd
CVE-2022-0342CRITICALCVSS 9.8PoCv4.30 through 5.202022-03-28
CVE-2022-0342 [CRITICAL] CWE-287 CVE-2022-0342: An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versio
An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow
cvelistv5nvd
CVE-2021-35029CRITICALCVSS 9.8v4.35 through 5.012021-07-02
CVE-2021-35029 [CRITICAL] CWE-287 CVE-2021-35029: An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall se
An authentication bypasss vulnerability in the web-based management interface of Zyxel USG/Zywall series firmware versions 4.35 through 4.64 and USG Flex, ATP, and VPN series firmware versions 4.35 through 5.01, which could allow a remote attacker to execute arbitrary commands on an affected device.
cvelistv5nvd
← Previous2 / 2