Zyxel security advisory for reflected cross-site scripting vulnerability of firewalls

CVE : CVE-2019-9955

Summary

Zyxel security firewalls are vulnerable to a reflected cross-site scripting vulnerability. Users are advised to install the applicable hotfixes for optimal protection.

What's the vulnerability?

The reflected cross-site scripting vulnerability was identified on the Zyxel security firewall login pages, which contained an unsanitized 'mp_idx' parameter.

What should you do?

After a thorough investigation, we’ve identified the vulnerable products and listed them in the table below. Hotfixes for the affected models are now available, and we will include patches in the models’ next regular firmware release. We urge users to install them for optimal protection.

Device impacted	Hotfix availability
ATP200
ATP500
ATP800
USG20-VPN
USG20W-VPN
USG40
USG40W
USG60
USG60W
USG110
USG210
USG310
USG1100
USG1900
USG2200-VPN
ZyWALL 110
ZyWALL 310
ZyWALL 1100
VPN50
VPN100
VPN300

Got a question or a tipoff?

Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact security@zyxel.com.tw and we’ll get right back to you.

Acknowledgment

Thanks to Aaron Bishop at Security Metrics for reporting this vulnerability to us.
https://www.securitymetrics.com/blog/Zyxel-Devices-Vulnerable-Cross-Site-Scripting-Login-page

Revision history

2019-4-18: Initial release

2019-4-25: Added VPN50/100/300 to the list of impacted devices

Security

Networking

Service and License

Home Connectivity

Success Stories

Organization Sizes

Use Cases

Technologies

What’s New?

Support

Training

Buy Online

Locate Partners

Select Your Location

Africa

Asia

Central America

Europe

Middle East

North America

Oceania

South America

Zyxel security advisory for reflected cross-site scripting vulnerability of firewalls

Have a question?