Skip to the content.

DIVD-2022-00065 - Multiple Critical Vulnerabilities in multiple Zyxel EOL devices

Our reference DIVD-2022-00065
Case lead Rutger Hermens
  • n/a
  • Zyxel
Recommendation Retire impacted devices
Patch status “Devices are end-of-life and will not be patched”
Status Closed
Last modified 12 Jun 2024 14:39


On February 15th 2022, Sec Consult published an advisory regarding multiple vulnerabilities on various Zyxel devices. While some of these devices could be patched, others were EOL (end of life) and will not receive a patch. DIVD has performed scans for these devices, to notify owners/operators of the risks regarding the continued operation of these devices.

What you can do

If you currently own or operate any of the listed EOL devices, please consider retiring/replacing it as soon as possible. If, for whatever reason, this is not a possibility, make sure all internet facing ports are closed as much as possible.

If you came here through other means than through our direct mailing, please refer to the list published by Sec Consult and Zyxel, to determine whether your Zyxel device is vulnerable and if a patch might be available, if your device isn’t EOL.

What we are doing

After having notified all owners/operators of relevant EOL Zyxel devices, we will intermittently scan the internet, to determine if appropriate action has been taken, and renotify if we have not received a reply from a devices respective owner/operator.

At the first scan, we found 500 vulnerable IP addresses. A month later, a second scan showed 413 vulnerable IPs. Our most current scan shows 111 vulnerable IPs.

More information