Security advisories

PSIRT Policy

The Zyxel Product Security Incident Response Team (PSIRT) responds to vulnerability reports, investigates the reported vulnerabilities, and implements the best course of action to protect our customers. We help you build trust with your customers by making network security our highest priority. It’s what drives us to deliver timely, actionable advice on emerging vulnerabilities. Zyxel is authorized as a CVE Numbering Authority (CNA). This recognizes our commitment to security disclosures and a continuous enhancement of vulnerability reporting.

Report Vulnerability

If you have discovered a security vulnerability in Zyxel products, we appreciate your help in reporting it to us in a responsible manner. Our PSIRT will respond and coordinate a patch to protect your subscribers before any opportunists exploit the issue.

Please include the following information when you report a security vulnerability.

  1. Affected model(s) and firmware/software version(s)
  2. Vulnerability description and potential impacts
  3. Step-by-step instructions to reproduce the issue
  4. Proof-of-concept (PoC) or exploit code for the issue
  5. Any suggested solutions to fix this (Optional)
  6. Weakness enumeration (e.g. CWE) (Optional)
  7. Severity (e.g. CVSS v3.x) (Optional)

Note: Zyxel does not have a security bug bounty program for reported vulnerabilities.

 

Advisories

PSIRT Policy

The Zyxel Product Security Incident Response Team (PSIRT) responds to vulnerability reports, investigates the reported vulnerabilities, and implements the best course of action to protect our customers. We help you build trust with your customers by making network security our highest priority. It’s what drives us to deliver timely, actionable advice on emerging vulnerabilities. Zyxel is authorized as a CVE Numbering Authority (CNA). This recognizes our commitment to security disclosures and a continuous enhancement of vulnerability reporting.

Report Vulnerability

If you have discovered a security vulnerability in Zyxel products, we appreciate your help in reporting it to us in a responsible manner. Our PSIRT will respond and coordinate a patch to protect your subscribers before any opportunists exploit the issue.

Please include the following information when you report a security vulnerability.

  1. Affected model(s) and firmware/software version(s)
  2. Vulnerability description and potential impacts
  3. Step-by-step instructions to reproduce the issue
  4. Proof-of-concept (PoC) or exploit code for the issue
  5. Any suggested solutions to fix this (Optional)
  6. Weakness enumeration (e.g. CWE) (Optional)
  7. Severity (e.g. CVSS v3.x) (Optional)

Note: Zyxel does not have a security bug bounty program for reported vulnerabilities.

 

Advisories

Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and Wi-Fi extenders


Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions


Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices


Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices


Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE


Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE


Zyxel security advisory for security misconfiguration vulnerability of 4G LTE indoor routers


Zyxel security advisory for cleartext storage of Wi-Fi credentials and improper symbolic links of FTP for AX7501-B0 CPE


Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and Wi-Fi extenders


Zyxel security advisory for DoS vulnerability of switches


Zyxel security advisory for cleartext storage of information vulnerability


Zyxel security advisory for buffer overflow vulnerability in Realtek eCos SDK


Zyxel security advisory for OS command injection and buffer overflow vulnerabilities of CPE and ONTs


Zyxel security advisory for multiple vulnerabilities


Zyxel security advisory for Apache Log4j RCE vulnerabilities


Zyxel security advisory for Wi-Fi simple config buffer overflow vulnerabilities


Zyxel security advisory for FragAttacks against Wi-Fi products


Zyxel security advisory for CGI vulnerability of LTE


Zyxel security advisory for DNSpooq


Zyxel security advisory for remote code execution and denial-of-service vulnerabilities of CPE


Zyxel security advisory for a new variant of Gafgyt malware


Zyxel security advisory for P1302-T10D v3 modem insecure direct object reference vulnerability


Zyxel security advisory for the new Mirai malware variant targeting P660HN devices


Reinforcing router security: German BSI’s Secure Broadband Router guideline


Zyxel security advisory for BCMUPnP_Hunter botnet


Zyxel security advisory for IKEv1 protocol vulnerability


Zyxel security advisory for the Linux kernel TCP flaw


Security update for Zyxel CPE devices and Small Business Gateways


Security advisory for the VPNFilter malware


Zyxel security advisory for Denial of Service on P-660HW v3


Zyxel security advisory for Meltdown and Spectre attacks


Zyxel security advisory for the recent botnet attacks targeting PK5001Z


Zyxel security advisory for dnsmasq vulnerabilities


Zyxel statement to vulnerability CVE-2017-3216


Zyxel advisory: password change recommendations to maximize protection


Zyxel statement for the TR-064 protocol implementation in CPEs


Brute force attacks? Zyxel to tighten protection on routers and CPE


Zyxel advisory for vulnerability CVE-2015-7547


Zyxel to fix SSH private Key and certificate vulnerability


Zyxel to issue fix for CERT VU#870744 Vulnerabilities


Zyxel to issue fix for LTE3301-Q222 software bug


Zyxel not affected by “RSA-CRT Key Leaks”


Zyxel product support for Microsoft Windows 10


Guard against “Misfortune Cookie” vulnerability


Shellshock!? Is it an issue for Zyxel products?


WPS brute force attack


End User License Agreement (EULA)

Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender versions


Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, Fiber ONT, and Wi-Fi extender devices


Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE


Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE


Zyxel security advisory for command injection and buffer overflow vulnerabilities of CPE, fiber ONTs, and WiFi extenders


Zyxel security advisory for cleartext storage of information vulnerability


Zyxel security advisory for buffer overflow vulnerability in Realtek eCos SDK


Zyxel security advisory for OS command injection and buffer overflow vulnerabilities of CPE and ONTs


Zyxel security advisory for multiple vulnerabilities


Zyxel security advisory for Apache Log4j RCE vulnerabilities


Zyxel security advisory for WiFi simple config buffer overflow vulnerabilities


Zyxel security advisory for FragAttacks against WiFi products


Zyxel security advisory for CGI vulnerability of LTE


Zyxel security advisory for DNSpooq


Zyxel security advisory for remote code execution and denial-of-service vulnerabilities of CPE


Zyxel security advisory for a new variant of Gafgyt malware


Zyxel security advisory for P1302-T10D v3 modem insecure direct object reference vulnerability


Zyxel security advisory for the new Mirai malware variant targeting P660HN devices


Reinforcing router security: German BSI’s Secure Broadband Router guideline


Zyxel security advisory for BCMUPnP_Hunter botnet


Zyxel security advisory for IKEv1 protocol vulnerability


Zyxel security advisory for the Linux kernel TCP flaw


Security update for Zyxel CPE devices and Small Business Gateways


Security advisory for the VPNFilter malware


Zyxel security advisory for Denial of Service on P-660HW v3


Zyxel security advisory for Meltdown and Spectre attacks


Zyxel security advisory for the recent botnet attacks targeting PK5001Z


Zyxel security advisory for dnsmasq vulnerabilities


Zyxel statement to vulnerability CVE-2017-3216


Zyxel advisory: password change recommendations to maximize protection


Zyxel statement for the TR-064 protocol implementation in CPEs


Brute force attacks? Zyxel to tighten protection on routers and CPE


Zyxel advisory for vulnerability CVE-2015-7547


Zyxel to fix SSH private Key and certificate vulnerability


Zyxel to issue fix for CERT VU#870744 Vulnerabilities


Zyxel to issue fix for LTE3301-Q222 software bug


Zyxel not affected by “RSA-CRT Key Leaks”


Zyxel product support for Microsoft Windows 10


Guard against “Misfortune Cookie” vulnerability


Shellshock!? Is it an issue for Zyxel products?


WPS brute force attack


End User License Agreement (EULA)