CVE-2022-40602: Critical Bug Affecting Zyxel Routers

Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its router products that could enable an attacker to take control of the devices.

“A flaw in the previous LTE3301-M209 firmware could allow a remote attacker to access the device using an improper pre-configured password if the remote administration feature has been enabled by an authenticated administrator,” the company said in an advisory published Tuesday.

Image: Zyxel

The security vulnerability has been assigned the identifier CVE-2022-40602 and is rated 9.8 out of 10 for severity. Credited with reporting the bug is RE-Solver.

“The root cause existed in pre-configured code provided by our vendor and affected only one product still within its vulnerability support period,” the company said in an advisory.

The flaw impacts the LTE3301-M209 model which is running the firmware V1.00(ABLG.4)C0 and earlier. Zyxel released a firmware patch to address CVE-2022-40602. The user can download it here.

The company said that there is no evidence that the vulnerability has been exploited in the wild, it’s recommended that users install the latest firmware to prevent any potential threats.