CVE-2021-35034 – This vulnerability allows remote attackers to m... (How to Fix)

Q: What is the severity of CVE-2021-35034?

CVE-2021-35034 has a CVSS score of 7.4 (HIGH). This vulnerability allows remote attackers to maintain unauthorized access to Zyxel NBG6604 routers by exploiting insufficient session expiration in the CGI program. Attackers can intercept valid authentication tokens and reuse them to bypass login protections. This affects all users of vulnerable Zyxel NBG6604 router firmware versions.

📋 TL;DR

This vulnerability allows remote attackers to maintain unauthorized access to Zyxel NBG6604 routers by exploiting insufficient session expiration in the CGI program. Attackers can intercept valid authentication tokens and reuse them to bypass login protections. This affects all users of vulnerable Zyxel NBG6604 router firmware versions.

💻 Affected Systems

Products:

Zyxel NBG6604 Home Router

Versions: Firmware versions prior to V1.00(ABIR.1)C0

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected firmware versions are vulnerable. The vulnerability exists in the CGI program handling web interface sessions.

📦 What is this software?

Nbg6604 Firmware by Zyxel

View all CVEs affecting Nbg6604 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains persistent administrative access to router, enabling network traffic interception, device reconfiguration, malware deployment, and lateral movement into connected networks.

🟠

Likely Case

Attacker with network access intercepts session tokens and gains unauthorized administrative access to router management interface.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated router management interface without access to internal network resources.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and this vulnerability allows remote exploitation via intercepted tokens.

🏢 Internal Only: MEDIUM - Attackers on internal network could exploit this, but would need to intercept valid authentication tokens first.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires intercepting valid authentication tokens, which typically requires man-in-the-middle position or access to network traffic. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.00(ABIR.1)C0

Vendor Advisory: https://www.zyxel.com/support/Zyxel_security_advisory_for_sensitive_information_vulnerabilities_of_NBG6604_home_router.shtml

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to Maintenance > Firmware Upgrade. 3. Download firmware V1.00(ABIR.1)C0 from Zyxel support site. 4. Upload and apply firmware update. 5. Router will automatically restart after update.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevents external attackers from accessing router management interface

Log into router > Network > WAN > Remote Management > Disable

Use HTTPS Only

all

Encrypts web interface traffic to prevent token interception

Log into router > Management > Access Control > Enable HTTPS only

🧯 If You Can't Patch

Isolate router management interface to trusted internal network only
Implement network segmentation to limit router access to authorized administrators

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface: Login > Maintenance > Firmware Information. If version is earlier than V1.00(ABIR.1)C0, device is vulnerable.

Check Version:

curl -k https://router-ip/ or check web interface at Maintenance > Firmware Information

Verify Fix Applied:

After patching, verify firmware version shows V1.00(ABIR.1)C0 or later in Maintenance > Firmware Information.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from same IP with different user agents
Session tokens being used from unexpected IP addresses
Administrative access outside normal business hours

Network Indicators:

HTTP traffic to router management interface containing session tokens
Unusual administrative traffic patterns

SIEM Query:

source="router-logs" AND (event="admin_login" AND (src_ip NOT IN allowed_admin_ips OR user_agent_changes > 3))

📊 Metadata

CVE ID: CVE-2021-35034

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-613

Published: December 29, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35034, you might also want to check these: