CVE-2023-22920 flaw lets attacker gain unauthorized access to Zyxel routers

Zyxel has moved to address a critical security vulnerability affecting Zyxel 4G LTE indoor routers that enable remote attackers to access an affected device.

Zyxel’s security advisory refers to two products, including 4G LTE indoor routers LTE3202-M437 and LTE3316-M604. Tracked as CVE-2023-22920, the flaw could allow a remote attacker to gain unauthorized access to the system, caused by a factory-default misconfiguration intended for testing purposes. By using Telnet, an attacker could exploit this vulnerability to gain unauthorized access to the device.

The National Institute of Standards and Technology (NIST) has not provided a severity rating yet, but Zyxel’s assessment gives it a 9.8 score out of a maximum of 10.

“A security misconfiguration vulnerability exists in the previous firmware versions of LTE3202-M437 and LTE3316-M604 due to a factory default misconfiguration intended for testing purposes. A remote attacker could leverage this vulnerability to access an affected device using Telnet,” the company said in an advisory published Wednesday.

The company has credited Geoffroy Martin, Max Nolent, and ANSSI CERT-FR for reporting the issue.

The CVE-2023-22920 vulnerability is present in the firmware of the following Zyxel products that are still supported by the manufacturer:

• LTE3202-M437 firmware version V1.00(ABWF.1)C0
• LTE3316-M604 firmware version V2.00(ABMP.6)C

Zyxel has released security updates that address the problem for most of the impacted models. It is still strongly advised that users upgrade their devices as soon as possible.