CVE-2021-35029

Q: What is the severity of CVE-2021-35029?

CVE-2021-35029 has a CVSS score of 9.8 (CRITICAL). This authentication bypass vulnerability in Zyxel security appliances allows remote attackers to execute arbitrary commands without valid credentials. It affects Zyxel USG/Zywall, USG Flex, ATP, and VPN series devices. Attackers can gain full control of affected devices through the web management interface.

9.8 CRITICAL

Remote Code Execution Authentication Bypass

📋 TL;DR

This authentication bypass vulnerability in Zyxel security appliances allows remote attackers to execute arbitrary commands without valid credentials. It affects Zyxel USG/Zywall, USG Flex, ATP, and VPN series devices. Attackers can gain full control of affected devices through the web management interface.

💻 Affected Systems

Products:

Zyxel USG series
Zyxel Zywall series
Zyxel USG Flex series
Zyxel ATP series
Zyxel VPN series

Versions: USG/Zywall: 4.35 through 4.64; USG Flex/ATP/VPN: 4.35 through 5.01

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web-based management interface. All devices with affected firmware versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to reconfigure firewall rules, intercept network traffic, install persistent backdoors, and pivot to internal networks.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, network reconnaissance, and potential lateral movement.

🟢

If Mitigated

Limited impact if devices are behind additional security controls, not internet-facing, and have strict network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet via web interface, CVSS 9.8 indicates critical risk for exposed devices.

🏢 Internal Only: HIGH - Even internally, this allows attackers with network access to bypass authentication and execute commands.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploits have been observed in the wild. Attackers can bypass authentication and execute commands without credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: USG/Zywall: 4.65 or later; USG Flex/ATP/VPN: 5.10 or later

Vendor Advisory: https://www.zyxel.com/support/Zyxel_security_advisory_for_attacks_against_security_appliances.shtml

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device. 6. Verify firmware version.

🔧 Temporary Workarounds

Disable web management interface

all

Temporarily disable web-based management to prevent exploitation

Configure via CLI: system interface mgt disable

Restrict management access

all

Limit management interface access to trusted IP addresses only

Configure via web interface: System > Management > Access Control

🧯 If You Can't Patch

Isolate affected devices behind additional firewalls with strict access controls
Implement network segmentation to limit potential lateral movement from compromised devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > Maintenance > System Information or CLI: show version

Check Version:

CLI: show version | grep Firmware

Verify Fix Applied:

Verify firmware version is 4.65+ for USG/Zywall or 5.10+ for USG Flex/ATP/VPN series

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to management interface
Unexpected configuration changes
Unusual command execution logs

Network Indicators:

Unusual outbound connections from security appliances
Traffic to known malicious IPs from management interface

SIEM Query:

source="zyxel-firewall" AND (event_type="authentication_failure" OR event_type="configuration_change")

📊 Metadata

CVE ID: CVE-2021-35029

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: July 2, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Usg Flex 100 Firmware by Zyxel

Usg Flex 100w Firmware by Zyxel

Usg Flex 200 Firmware by Zyxel

Usg Flex 500 Firmware by Zyxel

Usg Flex 700 Firmware by Zyxel

Usg100 Firmware by Zyxel

Usg1000 Firmware by Zyxel

Usg110 Firmware by Zyxel

Usg1100 Firmware by Zyxel

Usg1900 Firmware by Zyxel

Usg20 Firmware by Zyxel

Usg20 Vpn Firmware by Zyxel

Usg200 Firmware by Zyxel

Usg2000 Firmware by Zyxel

Usg20w Firmware by Zyxel

Usg20w Vpn Firmware by Zyxel

Usg210 Firmware by Zyxel

Usg2200 Vpn Firmware by Zyxel

Usg300 Firmware by Zyxel

Usg310 Firmware by Zyxel

Usg40 Firmware by Zyxel

Usg40w Firmware by Zyxel

Usg50 Firmware by Zyxel

Usg60 Firmware by Zyxel

Usg60w Firmware by Zyxel

Zywall 110 Firmware by Zyxel

Zywall 1100 Firmware by Zyxel

Zywall 310 Firmware by Zyxel

Zywall Atp100 Firmware by Zyxel

Zywall Atp100w Firmware by Zyxel

Zywall Atp200 Firmware by Zyxel

Zywall Atp500 Firmware by Zyxel

Zywall Atp700 Firmware by Zyxel

Zywall Atp800 Firmware by Zyxel

Zywall Vpn100 Firmware by Zyxel

Zywall Vpn300 Firmware by Zyxel

Zywall Vpn50 Firmware by Zyxel