Your browser either does not support JavaScript or you have turned JavaScript off.

Zyxel security advisory for XSS vulnerability of GS1900 series switches

CVE: CVE-2021-35030


Zyxel has released hotfixes addressing a cross-site scripting (XSS) vulnerability in the GS1900 series of switches and will include the patch in its next regular firmware update in October. Users are advised to install the applicable firmware updates for optimal protection.

What is the vulnerability?

A XSS vulnerability was identified in Zyxel’s GS1900 series of switches, such that an attack could be triggered when a user accesses certain GUI pages with the malicious LLDP packets processed by the switch. However, this can only occur if the attacker is directly connected to the switch, because the LLDP protocol only allows LLDP packets to be sent to and received from devices that are directly connected to each other; thus, the risk is relatively low.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the vulnerable switches that are within their warranty and support period and released firmware patches to address the issue, as shown in the table below.

Affected model Patch availability
Hotfix Standard firmware
GS1900-8 V2.70 in Oct. 2021
GS1900-8HP V2.70 in Oct. 2021
GS1900-10HP V2.70 in Oct. 2021
GS1900-16 V2.70 in Oct. 2021
GS1900-24E V2.70 in Oct. 2021
GS1900-24EP V2.70 in Oct. 2021
GS1900-24 V2.70 in Oct. 2021
GS1900-24HP V2.70 in Oct. 2021
GS1900-24HPv2 V2.70 in Oct. 2021
GS1900-48 V2.70 in Oct. 2021
GS1900-48HP V2.70 in Oct. 2021
GS1900-48HPv2 V2.70 in Oct. 2021

Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.


Thanks to Jasper Lievisse Adriaanse for reporting the issue to us.

Revision history

2021-7-27: Initial release
2021-7-30: Updated the hotfix links