CVE-2022-0342

Q: What is the severity of CVE-2022-0342?

CVE-2022-0342 has a CVSS score of 9.8 (CRITICAL). This authentication bypass vulnerability in Zyxel firewall CGI programs allows attackers to circumvent web authentication and gain administrative access to affected devices. It affects multiple Zyxel firewall series with specific firmware versions. Organizations using these devices with vulnerable firmware are at risk of complete device compromise.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This authentication bypass vulnerability in Zyxel firewall CGI programs allows attackers to circumvent web authentication and gain administrative access to affected devices. It affects multiple Zyxel firewall series with specific firmware versions. Organizations using these devices with vulnerable firmware are at risk of complete device compromise.

💻 Affected Systems

Products:

Zyxel USG/ZyWALL series
USG FLEX series
ATP series
VPN series
NSG series

Versions: USG/ZyWALL: 4.20-4.70; USG FLEX: 4.50-5.20; ATP: 4.32-5.20; VPN: 4.30-5.20; NSG: V1.20-V1.33 Patch 4

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with web management interface enabled are vulnerable. The vulnerability is in the CGI program used for web authentication.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete administrative takeover of firewall, enabling network pivoting, data exfiltration, and deployment of persistent backdoors across the network.

🟠

Likely Case

Unauthorized administrative access leading to firewall rule manipulation, VPN credential theft, and network traffic interception.

🟢

If Mitigated

Limited impact if devices are behind additional security layers, but still significant due to firewall's critical position.

🌐 Internet-Facing: HIGH - Directly accessible firewalls can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the web management interface (typically port 80/443). The vulnerability is in authentication logic, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: USG/ZyWALL: 4.71; USG FLEX: 5.21; ATP: 5.21; VPN: 5.21; NSG: V1.33 Patch 5

Vendor Advisory: https://www.zyxel.com/support/Zyxel-security-advisory-for-authentication-bypass-vulnerability-of-firewalls.shtml

Restart Required: Yes

Instructions:

1. Download appropriate firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload firmware via web interface or CLI. 4. Reboot device after installation. 5. Verify firmware version post-update.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Temporarily disable web-based management to prevent exploitation while planning patching.

configure terminal
no web-management enable
commit

Restrict Management Access

all

Limit management interface access to specific trusted IP addresses only.

configure terminal
access-list management permit ip <trusted_ip> any
access-list management deny ip any any
web-management access-class management
commit

🧯 If You Can't Patch

Isolate affected devices in separate network segments with strict access controls
Implement network monitoring and intrusion detection specifically for authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Maintenance > Firmware) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version matches patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful admin login from unusual IP
CGI program access without proper authentication sequence

Network Indicators:

HTTP requests to CGI endpoints without preceding authentication requests
Administrative actions from unexpected source IPs

SIEM Query:

source="zyxel_firewall" (event_type="authentication" AND result="success") AND NOT (src_ip IN [trusted_management_ips])

📊 Metadata

CVE ID: CVE-2022-0342

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 28, 2022

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Atp100 Firmware by Zyxel

Atp100w Firmware by Zyxel

Atp200 Firmware by Zyxel

Atp500 Firmware by Zyxel

Atp700 Firmware by Zyxel

Atp800 Firmware by Zyxel

Nsg300 Firmware by Zyxel

Nsg300 Firmware by Zyxel

Nsg300 Firmware by Zyxel

Usg Flex 100 Firmware by Zyxel

Usg Flex 100w Firmware by Zyxel

Usg Flex 200 Firmware by Zyxel

Usg Flex 500 Firmware by Zyxel

Usg Flex 700 Firmware by Zyxel

Usg40 Firmware by Zyxel

Usg40w Firmware by Zyxel

Usg60 Firmware by Zyxel

Usg60w Firmware by Zyxel

Vpn100 Firmware by Zyxel

Vpn1000 Firmware by Zyxel

Vpn300 Firmware by Zyxel

Vpn50 Firmware by Zyxel

Zywall 110 Firmware by Zyxel

Zywall 1100 Firmware by Zyxel

Zywall 310 Firmware by Zyxel

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Web Management Interface

Restrict Management Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities