Zyxel has released firmware updates for RCE and DoS vulnerabilities affecting some CPE models. Customers are advised to install the updates for optimal protection.
What is the vulnerability?
Remote code execution and denial-of-service vulnerabilities caused by the improper input sanitization of HTTP requests were identified in the zhttpd webserver on some Zyxel CPE.
What products are vulnerable—and what should you do?
After a thorough investigation, we have identified the vulnerable CPE that are within their warranty and support period and are releasing firmware patches to address the issue, as shown in the table below.
Please note that the table does NOT include customized models for internet service providers (ISPs). For ISP customers, please contact your Zyxel representative for further details. For users who purchased the listed devices on their own, please contact your local Zyxel support team for the new firmware file to ensure optimal protection.
|Affected models||Patch available in|
|EMG5723-T50K||V5.50(ABOM.5)C0 in Dec 2020|
|EMG6726-B10A||V5.13 (ABNP.6).C0 in Feb 2021|
|EX3510-B0||V5.17(ABUP.3)C0 in Mar 2021|
|EX5510-B0||V5.15(ABQX.3)C0 in Jan 2021|
|VMG1312-T20B||V5.50(ABSB.3)C0 in Dec 2020|
|VMG3625-T50B||V5.50(ABPM.4)C0 in Dec 2020|
|VMG3925-B10B/B10C||V5.13(AAVF.16)C0 in Dec 2020|
|VMG3927-B50A_B60A||V5.15(ABMT.5)C0 in Dec 2020|
|VMG3927-B50B||V5.13(ABLY.6)C0 in Feb 2021|
|VMG3927-T50K||V5.50(ABOM.5)C0 in Dec 2020|
|VMG4005-B50B||V5.13(ABRL.5)C0 in Q3 2021|
|VMG4927-B50A||V5.13(ABLY.6)C0 in Feb 2021|
|VMG8623-T50B||V5.50(ABPM.4)C0 in Dec 2020|
|VMG8825-B50A_B60A||V5.15(ABMT.5)C0 in Dec 2020|
|VMG8825-Bx0B||V5.15(ABNY.5)C0 in Dec 2020|
|VMG8825-T50K||V5.50(ABOM.5)C0 in Dec 2020|
|VMG8924-B10D||V5.13(ABGQ.6)C0 in Dec 2020|
|XMG3927-B50A||V5.15(ABMT.5)C0 in Dec 2020|
|XMG8825-B50A||V5.15(ABMT.5)C0 in Dec 2020|
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact email@example.com and we’ll get right back to you.
Thanks to Thomas Rinsma for reporting the issues to us.
2020-12-17: Initial release