Zyxel security advisory for CVE-2018-9149

Zyxel is aware of the recently disclosed weakness on the WiFi System model Multy X (WSQ50), as disclosed in the US NIST National Vulnerability Database with vulnerability ID CVE-2018-9149. Zyxel has immediately launched an investigation upon becoming aware of it.

What is the vulnerability?

The Multy X device allows an attacker to use a USB-to-UART cable to connect the device when the device is dismantled. An attacker could then log in to the system with root privilege using the default password and start the device’s telnet service as a backdoor.

What Zyxel products are impacted?

Multy X (WSQ50)

How is Zyxel resolving it?

It is important to note the attack requires physical access to the device, which means such vulnerability is impossible to exploit remotely over network. In addition, due to security concerns there is no console interface mounted on Multy X hardware design, the attacker must attach an additional USB-to-UART component onto device PCB in order to gain console access. Since physically dismantling the device is required to fulfill the attack, we consider the severity of this flaw rather low. Therefore, no patch is planned for the time being.

Contact

Please contact your local service representatives if you require further information or assistance. To report a vulnerability, please contact security@zyxel.com.tw

Acknowledgement

National Center for Cyber Security Technology of Taiwan

Revision history

Initial release 2018-04-09

Security

Networking

Service and License

Home Connectivity

Success Stories

Organization Sizes

Use Cases

Technologies

What’s New?

Support

Training

Buy Online

Locate Partners

Select Your Location

Africa

Asia

Central America

Europe

Middle East

North America

Oceania

South America

Zyxel security advisory for CVE-2018-9149

Have a question?