Headline
CVE-2021-35033: Zyxel security advisory for pre-configured password management vulnerability of home routers and WiFi systems
A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, WSQ50, WSQ60, and WSR30 firmware with pre-configured password management could allow an attacker to obtain root access of the device, if the local attacker dismantles the device and uses a USB-to-UART cable to connect the device, or if the remote assistance feature had been enabled by an authenticated user.
- Homepage
- Support
- Security Advisories
- Zyxel security advisory for pre-configured password management vulnerability of home routers and WiFi systems
CVE: CVE-2021-35033
Summary
Zyxel has released patches for products affected by a pre-configured password management vulnerability. Users are advised to install it for optimal protection.
What is the vulnerability?
An improper password management vulnerability has been found in specific home routers and WiFi systems. The vulnerability could allow an attacker to gain root access to the device if a local attacker dismantles and takes the device and connects to it using a USB-to-UART cable, or if the remote assistance feature has been enabled by an authenticated user.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their warranty and support period and released firmware patches to address the issue, as shown in the table below.
Affected model
Patch availability
NBG6818
V1.00(ABSC.5)C01
NBG7815
V1.00(ABSK.7)C01
WSQ20
V1.00(ABOF.11)C02
WSQ50
V2.20(ABKJ.7)C02
WSQ60
V2.20(ABND.8)C02
WSR30
V1.00(ABMY.12)C02
- Upgrade firmware through the web GUI or App.
- Upgrade firmware through the App.
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Acknowledgment
Thanks to Tenable for reporting the issues to us.
Revision history
2021-11-23: Initial release