Security advisories
PSIRT Policy
The Zyxel Product Security Incident Response Team (PSIRT) responds to vulnerability reports, investigates the reported vulnerabilities, and implements the best course of action to protect our customers. We help you build trust with your customers by making network security our highest priority. It’s what drives us to deliver timely, actionable advice on emerging vulnerabilities. Zyxel is authorized as a CVE Numbering Authority (CNA). This recognizes our commitment to security disclosures and a continuous enhancement of vulnerability reporting.
Report Vulnerability
If you have discovered a security vulnerability in Zyxel products, we appreciate your help in reporting it to us in a responsible manner. Our PSIRT will respond and coordinate a patch to protect your subscribers before any opportunists exploit the issue.
Please include the following information when you report a security vulnerability.
- Affected model(s) and firmware/software version(s)
- Vulnerability description and potential impacts
- Step-by-step instructions to reproduce the issue
- Proof-of-concept (PoC) or exploit code for the issue
- Any suggested solutions to fix this (Optional)
- Weakness enumeration (e.g. CWE) (Optional)
- Severity (e.g. CVSS v3.x) (Optional)
Note: Zyxel does not have a security bug bounty program for reported vulnerabilities.
Advisories
Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE
Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE
Zyxel security advisory for cleartext storage of information vulnerability
Zyxel security advisory for buffer overflow vulnerability in Realtek eCos SDK
Zyxel security advisory for OS command injection and buffer overflow vulnerabilities of CPE and ONTs
Zyxel security advisory for multiple vulnerabilities
Zyxel security advisory for Apache Log4j RCE vulnerabilities
Zyxel security advisory for WiFi simple config buffer overflow vulnerabilities
Zyxel security advisory for FragAttacks against WiFi products
Zyxel security advisory for CGI vulnerability of LTE
Zyxel security advisory for DNSpooq
Zyxel security advisory for remote code execution and denial-of-service vulnerabilities of CPE
Zyxel security advisory for a new variant of Gafgyt malware
Zyxel security advisory for P1302-T10D v3 modem insecure direct object reference vulnerability
Zyxel security advisory for the new Mirai malware variant targeting P660HN devices
Reinforcing router security: German BSI’s Secure Broadband Router guideline
Zyxel security advisory for BCMUPnP_Hunter botnet
Zyxel security advisory for IKEv1 protocol vulnerability
Zyxel security advisory for the Linux kernel TCP flaw
Security update for Zyxel CPE devices and Small Business Gateways
Security advisory for the VPNFilter malware
Zyxel security advisory for Denial of Service on P-660HW v3
Zyxel security advisory for Meltdown and Spectre attacks
Zyxel security advisory for the recent botnet attacks targeting PK5001Z
Zyxel security advisory for dnsmasq vulnerabilities
Zyxel statement to vulnerability CVE-2017-3216
Zyxel advisory: password change recommendations to maximize protection
Zyxel statement for the TR-064 protocol implementation in CPEs
Brute force attacks? Zyxel to tighten protection on routers and CPE
Zyxel advisory for vulnerability CVE-2015-7547
Zyxel to fix SSH private Key and certificate vulnerability
Zyxel to issue fix for CERT VU#870744 Vulnerabilities
Zyxel to issue fix for LTE3301-Q222 software bug
Zyxel not affected by “RSA-CRT Key Leaks”
Zyxel product support for Microsoft Windows 10
Guard against “Misfortune Cookie” vulnerability
Shellshock!? Is it an issue for Zyxel products?