COOEY // HUBcompliance · community · intelligence

FAIL › dossier

Zyxel vendor

12
failure events
0
zero-days
10
RCEs
12
on KEV
2
critical
95
worst shame

Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.

Failure history 12 events

DateEventSevFlagsShameSummary
2023-09-18 CVE-2017-6884 critical ⚡RCE ⌖KEV 95 Zyxel EMG2926 routers contain a command injection vulnerability located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute malicious commands on the router, such as the ping_ip parameter to the expert/maintenance/
2024-12-03 CVE-2024-11667 critical ⌖KEV 80 Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.
2025-02-11 CVE-2024-40890 high ⚡RCE ⌖KEV 65 Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute OS commands via a crafted HTTP request.
2025-02-11 CVE-2024-40891 high ⚡RCE ⌖KEV 65 Multiple Zyxel DSL CPE devices contain a post-authentication command injection vulnerability in the management commands that could allow an authenticated attacker to execute OS commands via Telnet.
2023-08-07 CVE-2017-18368 high ⚡RCE ⌖KEV 65 Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
2023-06-23 CVE-2023-27992 high ⚡RCE ⌖KEV 65 Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
2023-06-05 CVE-2023-33010 high ⚡RCE ⌖KEV 65 Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the ID processing function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected
2023-06-05 CVE-2023-33009 high ⚡RCE ⌖KEV 65 Zyxel ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG firewalls contain a buffer overflow vulnerability in the notification function that could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and remote code execution on an affected
2023-05-31 CVE-2023-28771 high ⚡RCE ⌖KEV 65 Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device.
2022-05-16 CVE-2022-30525 high ⚡RCE ⌖KEV 65 A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
2022-03-25 CVE-2020-9054 high ⚡RCE ⌖KEV 65 Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code.
2021-11-03 CVE-2020-29583 high ⌖KEV 50 Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password.