Zyxel security advisory for OS command injection and buffer overflow vulnerabilities of CPE and ONTs

CVEs: CVE-2022-26413, CVE-2022-26414

Summary

Zyxel is aware of OS command injection and buffer overflow vulnerabilities affecting some CPE and ONT models. Users are advised to adopt the applicable firmware updates for optimal protection.

What are the vulnerabilities?

  • CVE-2022-26413

    A command injection vulnerability in the CGI program of VMG3312-T20A could allow a local authenticated attacker to execute arbitrary OS commands on a vulnerable device via a LAN interface.

  • CVE-2022-26414

    A buffer overflow vulnerability was identified in some internal functions of VMG3312-T20A due to a lack of input validation and boundary verification.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their vulnerability support period, as shown in the table below. We encourage users to install the applicable updates for optimal protection.

The model mentioned in the CVE description, VMG3312-T20A, entered end-of-life years previously. Therefore, firmware updates are no longer supported. We recommend that users with this model replace it with a newer-generation product, which typically come with improved designs that better suit current applications.

Please note that the table below does NOT include customized models for internet service providers (ISPs).

Affected series/models Patch availability*
DSL/Ethernet CPE  
EMG3525-T50B EMEA: V5.50(ABPM.6)C0
America: V5.50(ABSL.0)B12 in Sep. 2022
EMG5523-T50B EMEA: V5.50(ABPM.6)C0
America: V5.50(ABSL.0)B12 in Sep. 2022
EMG5723-T50K V5.50(ABOM.7)C0
EMG6726-B10A V5.13(ABNP.7)C0 in Jun. 2022
VMG1312-T20B V5.30(ABSB.5)C0
VMG3625-T50B V5.50(ABPM.6)C0
VMG3927-B50A V5.17(ABMT.6)C0
VMG3927-B50B V5.13(ABLY.7)C0 in Jun. 2022
VMG3927-B60A V5.17(ABMT.6)C0
VMG3927-T50K V5.50(ABOM.7)C0
VMG4927-B50A V5.13(ABLY.7)C0 in Jun. 2022
VMG8623-T50B V5.50(ABPM.6)C0
VMG8825-B50A V5.17(ABMT.6)C0
VMG8825-B50B V5.17(ABNY.7)C0
VMG8825-T50K V5.50(ABOM.7)C0
VMG8825-B60A V5.17(ABMT.6)C0
VMG8825-B60B V5.17(ABNY.7)C0
XMG3927-B50A V5.17(ABMT.6)C0
XMG8825-B50A V5.17(ABMT.6)C0
DX5401-B0 V5.17(ABYO.1)C0
EX3510-B0 V5.17(ABUP.4)C1
EX5401-B0 V5.17(ABYO.1)C0
EX5501-B0 V5.17(ABRY.2)C0
Fiber ONT  
AX7501-B0 V5.17(ABPC.1)C0
EP240P V5.40(ABVH.0)C0
PM7300-T0 V5.42(ACBC.1)C0
PMG5317-T20B V5.40(ABKI.4)C0
PMG5617GA V5.40(ABNA.2)C0
PMG5617-T20B2 V5.41(ACBB.1)C0
PMG5622GA V5.40(ABNB.2)C0
PX7501-B0 V5.17(ABPC.1)C0
*Please reach out to your local Zyxel support team for the file.

Got a question?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For end-user who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

Acknowledgment

Thanks to Martin Petran from Accenture for reporting the issues to us.

Revision history

2022-04-12: Initial release

2022-04-21: Updated the patch firmware version of VMG1312-T20B