CVE-2019-12583
📋 TL;DR
This vulnerability allows remote attackers to bypass authentication and generate guest accounts on affected Zyxel devices by directly accessing the account generator in the Free Time component. This can lead to unauthorized network access or denial of service. Affected systems include Zyxel UAG, USG, and ZyWall devices with vulnerable firmware versions.
💻 Affected Systems
- Zyxel UAG series
- Zyxel USG series
- Zyxel ZyWall series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete network compromise through unauthorized guest accounts leading to lateral movement, data exfiltration, or persistent backdoor access.
Likely Case
Unauthorized network access through guest accounts, potential bandwidth consumption, and network disruption.
If Mitigated
Limited impact with proper network segmentation and monitoring, though vulnerability still exists.
🎯 Exploit Status
Exploitation requires direct access to the account generator endpoint without authentication. Public proof-of-concept demonstrates simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ZLD V4.32 Patch 1 and later
Vendor Advisory: https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
Restart Required: Yes
Instructions:
1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface or CLI. 4. Reboot device. 5. Verify firmware version.
🔧 Temporary Workarounds
Disable Free Time Feature
allTemporarily disable the Free Time component to prevent exploitation.
configure terminal
no free-time enable
commit
end
Network Access Control
allRestrict access to device management interfaces using firewall rules.
access-list deny ip any any eq 443
access-list deny ip any any eq 80
🧯 If You Can't Patch
- Isolate affected devices in separate VLAN with strict access controls
- Implement network monitoring for unauthorized guest account creation attempts
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Maintenance > Firmware) or CLI command 'show version'. If version is earlier than ZLD V4.32 Patch 1, device is vulnerable.Check Version:
show versionVerify Fix Applied:
Verify firmware version is ZLD V4.32 Patch 1 or later. Test by attempting to access account generator endpoint without authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /cgi-bin/account_generator
- Unexpected guest account creation
- Failed authentication attempts followed by successful guest creation
Network Indicators:
- HTTP POST requests to account generator endpoint from unauthorized sources
- Unusual network traffic from guest network segments
SIEM Query:
source="zyxel-firewall" AND (url="/cgi-bin/account_generator" OR event="guest_account_created")🔗 References
- https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
- https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
- https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
- https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
