Zyxel security advisory for cleartext storage of WiFi credentials and improper symbolic links of FTP for AX7501-B0 CPE
CVEs: CVE-2022-45439, CVE-2022-45440
Summary
Zyxel has released a patch addressing the cleartext storage of WiFi credentials and improper FTP symbolic links in the AX7501-B0 CPE, and advises customers to install the patch for optimal protection.
What are the vulnerabilities?
-
A pair of spare WiFi credentials is stored in the configuration file of the AX7501-B0 CPE in cleartext. A local unauthenticated attacker could use the credentials to access the WLAN service if the configuration file has been retrieved from the device by leveraging another known vulnerability.
-
A vulnerability exists in the FTP server of the AX7501-B0 CPE, which processes symbolic links on external storage media. A local authenticated attacker with administrator privileges could abuse this vulnerability to access the root file system by creating a symbolic link on external storage media, such as a USB flash drive, and then logging into the FTP server on a vulnerable device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified only one vulnerable product that is within the vulnerability support period and released a firmware patch to address the issues, as shown in the table below.
| Affected series/models | Patch available in |
|---|---|
| AX7501-B0 | V5.17(ABPC.3)C0 |
Please note that the table does NOT include customized models for internet service providers (ISPs).
Got a question?
For ISPs, please contact your Zyxel sales or service representatives for further details. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
Acknowledgment
Thanks to the following security researcher and consultancy for reporting the issues to us:
- Pshemo for CVE-2022-45439 and CVE-2022-45440
- SEC Consult for CVE-2022-45440
Revision history
2023-1-17: Initial release