CVE-2019-12583 — CRITICAL (9.1)

Q: How severe is CVE-2019-12583?

CVE-2019-12583 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-12583?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Uag2100 Firmware, Zyxel Uag2100, Zyxel Uag4100 Firmware, Zyxel Uag4100, Zyxel Uag5100 Firmware.

Vulnerability Description

Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.

CVSS Score

9.1

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Zyxel	Uag2100 Firmware	<= 4.18\(aaiz.1\)c0
Zyxel	Uag2100	-
Zyxel	Uag4100 Firmware	<= 4.18\(aatd.1\)c0
Zyxel	Uag4100	-
Zyxel	Uag5100 Firmware	<= 4.18\(aapn.1\)c0
Zyxel	Uag5100	-
Zyxel	Usg110 Firmware	<= 4.33\(aaph.0\)c0
Zyxel	Usg110	-
Zyxel	Usg210 Firmware	<= 4.33\(aapi.0\)c0
Zyxel	Usg210	-
Zyxel	Usg310 Firmware	<= 4.33\(aapj.0\)c0
Zyxel	Usg310	-
Zyxel	Usg1100 Firmware	<= 4.33\(aapk.0\)c0
Zyxel	Usg1100	-
Zyxel	Usg1900 Firmware	<= 4.33\(aapl.0\)c0
Zyxel	Usg1900	-
Zyxel	Usg2200-Vpn Firmware	<= 4.33\(abae.0\)c0
Zyxel	Usg2200-Vpn	-
Zyxel	Zywall Vpn100 Firmware	<= 10.02\(abfv.0\)c0
Zyxel	Zywall Vpn100	-

Related Weaknesses (CWE)

CWE-425

References

https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generExploitThird Party Advisory
https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.sPatchVendor Advisory
https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generExploitThird Party Advisory
https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.sPatchVendor Advisory

FAQ

What is CVE-2019-12583?

CVE-2019-12583 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This ...

How severe is CVE-2019-12583?

CVE-2019-12583 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-12583?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Uag2100 Firmware, Zyxel Uag2100, Zyxel Uag4100 Firmware, Zyxel Uag4100, Zyxel Uag5100 Firmware.