Your browser either does not support JavaScript or you have turned JavaScript off.

Zyxel security advisory for command injection and cross-site request forgery vulnerabilities of select Armor home routers

CVEs: CVE-2021-4029, CVE-2021-4030


Summary

Zyxel has released a patch addressing command injection and cross-site request forgery vulnerabilities in the Armor Z2 home router. Users are advised to install it for optimal protection.


What are the vulnerabilities?

CVE-2021-4029

A command-injection vulnerability in the CGI program of Armor Z1 and Z2 home routers could allow a local attacker to execute arbitrary OS commands on a vulnerable device via a LAN interface.

CVE-2021-4030

A cross-site request forgery vulnerability in the HTTP daemon of Armor Z1 and Z2 home routers could allow an attacker to execute arbitrary commands if they coerce or trick a local user to visit a compromised website with malicious scripts.


What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified only Armor Z2 as being within its warranty and support period, and have released a firmware patch to address these issues, as shown in the table below.

Affected model Patch availability
Armor Z2 (NBG6817) V1.00(ABCS.11)C0

Armor Z1 (NBG6816) entered end of life years previous; therefore, firmware updates are no longer supported. We recommend that users with the model replace it with a newer-generation product, which typically come with improved designs that better suit current applications.


Got a question?

Please contact your local service rep or visit Zyxel’s forum for further information or assistance.


Acknowledgment

Thanks to Exodus Intelligence for reporting the issues to us.


Revision history

2022-2-22: Initial release