CVE-2021-35027 – A directory traversal vulnerability in Zyxel VP... (How to Fix)

Q: What is the severity of CVE-2021-35027?

CVE-2021-35027 has a CVSS score of 7.5 (HIGH). A directory traversal vulnerability in Zyxel VPN2S firewall firmware allows remote attackers to access sensitive files by manipulating file paths. This affects organizations using Zyxel VPN2S firewalls with vulnerable firmware versions, potentially exposing configuration files, credentials, or other sensitive data.

📋 TL;DR

A directory traversal vulnerability in Zyxel VPN2S firewall firmware allows remote attackers to access sensitive files by manipulating file paths. This affects organizations using Zyxel VPN2S firewalls with vulnerable firmware versions, potentially exposing configuration files, credentials, or other sensitive data.

💻 Affected Systems

Products:

Zyxel VPN2S Firewall

Versions: Firmware version 1.12

Operating Systems: Embedded Linux (Zyxel custom)

Default Config Vulnerable: ⚠️ Yes

Notes: All VPN2S devices running firmware version 1.12 are vulnerable. The web management interface is typically exposed.

📦 What is this software?

Zywall Vpn2s Firmware by Zyxel

View all CVEs affecting Zywall Vpn2s Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains administrative access to firewall, extracts all credentials and configurations, and pivots to internal network.

🟠

Likely Case

Remote attacker accesses sensitive configuration files containing credentials, VPN settings, or firewall rules.

🟢

If Mitigated

Attack is blocked at network perimeter, or sensitive files are inaccessible due to proper file permissions.

🌐 Internet-Facing: HIGH - Web server is internet-facing by default on VPN2S devices, allowing direct remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if device is accessible on internal network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities typically require minimal technical skill to exploit once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 1.20 or later

Vendor Advisory: https://www.zyxel.com/support/Zyxel_security_advisory_for_directory_traversal_and_command_injection_vulnerabilities_of_VPN2S_Firewall.shtml

Restart Required: Yes

Instructions:

1. Download firmware version 1.20 or later from Zyxel support portal. 2. Log into VPN2S web interface. 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload and install the new firmware. 5. Reboot the device.

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to VPN2S web management interface to trusted IP addresses only.

Configure firewall rules to allow only specific source IPs to TCP ports 80/443 on VPN2S

Disable Web Interface

linux

Temporarily disable web management interface if not required.

Use CLI: system web-management disable

🧯 If You Can't Patch

Implement strict network segmentation to isolate VPN2S from untrusted networks
Monitor for unusual file access patterns in web server logs

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: System > Status > Firmware Version. If version is 1.12, device is vulnerable.

Check Version:

ssh admin@vpn2s show version | grep Firmware

Verify Fix Applied:

After patching, verify firmware version shows 1.20 or later in System > Status > Firmware Version.

📡 Detection & Monitoring

Log Indicators:

Web server logs showing ../ or ..\ sequences in URL requests
Multiple failed attempts to access sensitive file paths

Network Indicators:

Unusual HTTP requests containing directory traversal sequences to VPN2S IP

SIEM Query:

source="vpn2s_web_logs" AND (url="*../*" OR url="*..\\*")

📊 Metadata

CVE ID: CVE-2021-35027

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-27

Published: September 29, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35027, you might also want to check these: