top of page

Cyber Bites

Unpatched Zyxel Firewalls exposed

Zyxel is a popular provider of firewalls used by many small offices with tens of thousands in use. Criminals can easily exploit a weakness in the following devices. If you are using any of these Zyxel products, be sure to get it updated as soon as possible.

  • ATP (Firmware version 4.60 to 5.35 inclusive)

  • USG FLEX (Firmware version 4.60 to 5.35 inclusive)

  • VPN (Firmware version 4.60 to 5.35 inclusive)

  • ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive)

An attacker can send a specially crafted UDP packet to port 500 on the internet exposed interface of the firewall and achieve unauthenticated command execution as the root user. A VPN does not need to be configured on the device for it to be vulnerable — an affected device is vulnerable in the default state.

This weakness has been present in the Zyxel firmware since October of 2020 and is present on all default implementations of the impacted devices.


Sources: Zyxel, NIST, Rapid7


UDP stands for User Datagram Protocol. It is a simple, connectionless, and unreliable protocol used for transmitting data over a network. It is a lightweight protocol that can be useful in certain situations where speed and efficiency are more important than reliability.

Port 500 – Port typically used for the Internet Key Exchange (IKE) protocol, which is used for setting up Virtual Private Network (VPN) tunnels.

VPN (Virtual Private Network) - a secure and private connection between two or more devices over the internet. It allows users to access the internet securely and privately by encrypting their internet traffic.

root user - The administrative user in an operating system with complete and unrestricted access to all commands, files, directories, and resources on the system.

Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.


bottom of page