Zyxel has released a patch addressing directory traversal and command injection vulnerabilities in the VPN2S firewall. Users are advised to install it for optimal protection.
What is the vulnerability?
A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in the VPN2S firewall. A command injection vulnerability caused by improper filtering for the parameters in a CGI program was also identified.
What versions are vulnerable—and what should you do?
After a thorough investigation, we've identified one vulnerable product that is within its warranty and support period and released a hotfix to address the issue, as shown in the table below.
|Affected model||Hotfix availability|
Got a question?
Please contact your local service rep or visit Zyxel’s forum for further information or assistance.
Thanks to Qihoo 360 for reporting the issues to us.
2021-9-30: Initial release