Zyxel security advisory for pre-configured password management vulnerability of home routers and WiFi systems
CVE: CVE-2021-35033
Summary
Zyxel has released patches for products affected by a pre-configured password management vulnerability. Users are advised to install it for optimal protection.
What is the vulnerability?
An improper password management vulnerability has been found in specific home routers and WiFi systems. The vulnerability could allow an attacker to gain root access to the device if a local attacker dismantles and takes the device and connects to it using a USB-to-UART cable, or if the remote assistance feature has been enabled by an authenticated user.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their warranty and support period and released firmware patches to address the issue, as shown in the table below.
Affected model | Patch availability |
---|---|
NBG6818 | V1.00(ABSC.5)C01 |
NBG7815 | V1.00(ABSK.7)C01 |
WSQ20 | V1.00(ABOF.11)C02 |
WSQ50 | V2.20(ABKJ.7)C02 |
WSQ60 | V2.20(ABND.8)C02 |
WSR30 | V1.00(ABMY.12)C02 |
- Upgrade firmware through the web GUI or App.
- Upgrade firmware through the App.
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Acknowledgment
Thanks to Tenable for reporting the issues to us.
Revision history
2021-11-23: Initial release