Zyxel security advisory for security misconfiguration vulnerability of 4G LTE indoor routers

CVEs: CVE-2023-22920

Summary

Zyxel has released patches for 4G LTE indoor routers LTE3202-M437 and LTE3316-M604 to address a security misconfiguration vulnerability. Customers are advised to install the patch for optimal protection.

 

What is the vulnerability?

A security misconfiguration vulnerability exists in the previous firmware versions of LTE3202-M437 and LTE3316-M604 due to a factory default misconfiguration intended for testing purposes. A remote attacker could leverage this vulnerability to access an affected device using Telnet.

 

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified only two vulnerable products that are within the vulnerability support period and released firmware patches to address the issue, as shown in the table below.

Affected series/models Patch available in
LTE3202-M437 V1.00(ABWF.2)C0
LTE3316-M604 V2.00(ABMP.7)C0

 

Please note that the table does NOT include customized models for internet service providers (ISPs).

 

Got a question?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

 

Acknowledgment

Thanks to Geoffroy Martin, Max Nolent, and ANSSI CERT-FR for reporting the issue to us.

 

Revision history

2023-2-22: Initial release