Zyxel security advisory for pre-configured password management vulnerability of home routers and WiFi systems

CVE: CVE-2021-35033



Zyxel has released patches for products affected by a pre-configured password management vulnerability. Users are advised to install it for optimal protection.


What is the vulnerability?

An improper password management vulnerability has been found in specific home routers and WiFi systems. The vulnerability could allow an attacker to gain root access to the device if a local attacker dismantles and takes the device and connects to it using a USB-to-UART cable, or if the remote assistance feature has been enabled by an authenticated user.


What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable products that are within their warranty and support period and released firmware patches to address the issue, as shown in the table below.

Affected model Patch availability
NBG6818 V1.00(ABSC.5)C01
NBG7815 V1.00(ABSK.7)C01
WSQ20 V1.00(ABOF.11)C02
WSQ50 V2.20(ABKJ.7)C02
WSQ60 V2.20(ABND.8)C02
WSR30 V1.00(ABMY.12)C02
  1. Upgrade firmware through the web GUI or App.
  2. Upgrade firmware through the App.

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.



Thanks to Tenable for reporting the issues to us.


Revision history

2021-11-23: Initial release