DIVD-2022-00065 - Multiple Critical Vulnerabilities in multiple Zyxel EOL devices
| Our reference | DIVD-2022-00065 |
| Case lead | Rutger Hermens |
| Researcher(s) |
|
| CVE(s) |
|
| Products |
|
| Recommendation | Retire impacted devices |
| Patch status | “Devices are end-of-life and will not be patched” |
| Status | Open |
| Last modified | 31 May 2023 06:24 |
Summary
On February 15th 2022, Sec Consult published an advisory regarding multiple vulnerabilities on various Zyxel devices. While some of these devices could be patched, others were EOL (end of life) and will not receive a patch. DIVD has performed scans for these devices, to notify owners/operators of the risks regarding the continued operation of these devices.
What you can do
If you currently own or operate any of the listed EOL devices, please consider retiring/replacing it as soon as possible. If, for whatever reason, this is not a possibility, make sure all internet facing ports are closed as much as possible.
If you came here through other means than through our direct mailing, please refer to the list published by Sec Consult and Zyxel, to determine whether your Zyxel device is vulnerable and if a patch might be available, if your device isn’t EOL.
What we are doing
After having notified all owners/operators of relevant EOL Zyxel devices, we will intermittently scan the internet, to determine if appropriate action has been taken, and renotify if we have not received a reply from a devices respective owner/operator.
At the first scan, we found 500 vulnerable IP addresses. A month later, a second scan showed 413 vulnerable IPs. Our most current scan shows 111 vulnerable IPs.
More information
- SEC Consult SA-20220215 :: Multiple Critical Vulnerabilities in multiple Zyxel devices
- Zyxel security advisory for multiple vulnerabilities
- Zyxel security advisory for multiple vulnerabilities (Affected model list) (only lists models for which patches are available)