CVE-2022-0910 — MEDIUM (6.5)

Q: How severe is CVE-2022-0910?

CVE-2022-0910 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-0910?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Vpn100 Firmware, Zyxel Vpn100, Zyxel Vpn1000 Firmware, Zyxel Vpn1000, Zyxel Vpn300 Firmware.

Vulnerability Description

A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Zyxel	Vpn100 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn100	-
Zyxel	Vpn1000 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn1000	-
Zyxel	Vpn300 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn300	-
Zyxel	Vpn50 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn50	-
Zyxel	Atp100 Firmware	>= 4.32, <= 5.21
Zyxel	Atp100	-
Zyxel	Atp100W Firmware	>= 4.32, <= 5.21
Zyxel	Atp100W	-
Zyxel	Atp200 Firmware	>= 4.32, <= 5.21
Zyxel	Atp200	-
Zyxel	Atp500 Firmware	>= 4.32, <= 5.21
Zyxel	Atp500	-
Zyxel	Atp700 Firmware	>= 4.32, <= 5.21
Zyxel	Atp700	-
Zyxel	Atp800 Firmware	>= 4.32, <= 5.21
Zyxel	Atp800	-

Related Weaknesses (CWE)

CWE-287

References

https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controlleVendor Advisory
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controlleVendor Advisory

FAQ

What is CVE-2022-0910?

CVE-2022-0910 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versio...

How severe is CVE-2022-0910?

CVE-2022-0910 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-0910?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Vpn100 Firmware, Zyxel Vpn100, Zyxel Vpn1000 Firmware, Zyxel Vpn1000, Zyxel Vpn300 Firmware.