CVE-2022-0556 – This CVE describes a local privilege escalation... (How to Fix)

Q: What is the severity of CVE-2022-0556?

CVE-2022-0556 has a CVSS score of 7.3 (HIGH). This CVE describes a local privilege escalation vulnerability in Zyxel AP Configurator (ZAC) version 1.1.4, where incorrect directory permissions allow attackers to execute arbitrary code with local administrator privileges. It affects users running the vulnerable ZAC software locally. Attackers must have local access to exploit this vulnerability.

📋 TL;DR

This CVE describes a local privilege escalation vulnerability in Zyxel AP Configurator (ZAC) version 1.1.4, where incorrect directory permissions allow attackers to execute arbitrary code with local administrator privileges. It affects users running the vulnerable ZAC software locally. Attackers must have local access to exploit this vulnerability.

💻 Affected Systems

Products:

Zyxel AP Configurator (ZAC)

Versions: Version 1.1.4

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ZAC version 1.1.4; requires local access to the system running the software.

📦 What is this software?

Zyxel Ap Configurator by Zyxel

View all CVEs affecting Zyxel Ap Configurator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access gains full administrative control over the system, enabling installation of malware, data theft, or persistence mechanisms.

🟠

Likely Case

Local users escalate privileges to administrator level, potentially compromising the system and connected network devices.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service or minimal data exposure.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local system access, not remotely exploitable.

🏢 Internal Only: HIGH - Internal users with local access can exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.1.5 or later

Vendor Advisory: https://www.zyxel.com/support/Zyxel-security-advisory-for-local-privilege-escalation-vulnerability-of-AP-Configurator.shtml

Restart Required: Yes

Instructions:

1. Download ZAC version 1.1.5 or later from Zyxel's official website. 2. Uninstall the current version. 3. Install the updated version. 4. Restart the system.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit physical and remote local access to systems running ZAC to trusted users only.

Remove ZAC if Unused

windows

Uninstall ZAC if it is not required for operations.

Control Panel > Programs > Uninstall a program > Select Zyxel AP Configurator > Uninstall

🧯 If You Can't Patch

Implement strict access controls to limit who can log into systems running ZAC.
Monitor systems for unusual privilege escalation attempts and review logs regularly.

🔍 How to Verify

Check if Vulnerable:

Check ZAC version via: Open ZAC > Help > About, or check installed programs in Control Panel for version 1.1.4.

Check Version:

wmic product where name="Zyxel AP Configurator" get version

Verify Fix Applied:

Verify ZAC version is 1.1.5 or later using the same method, and ensure directory permissions are properly set.

📡 Detection & Monitoring

Log Indicators:

Unexpected privilege escalation events in Windows Event Logs (Security logs)
Unauthorized access to ZAC directories

Network Indicators:

Unusual outbound connections from the ZAC host post-exploitation

SIEM Query:

EventID=4672 OR EventID=4688 | where ProcessName contains "zac" OR CommandLine contains "zac"

📊 Metadata

CVE ID: CVE-2022-0556

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: April 11, 2022

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0556, you might also want to check these: