CVE-2020-29299

Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. This affects VPN On-premise before ZLD V4.39 week38, VPN Orchestrator before SD-OS V10.03 week32, USG before ZLD V4.39 week38, USG FLEX before ZLD V4.55 week38, ATP before ZLD V4.55 week38, and NSG before 1.33 patch 4.

Published: Dec 27, 2020
Updated: Apr 14, 2023
CVE: CVE-2020-29299
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
zyxel / zld	-	4.39
zyxel / vpn_orchestrator	-	10.03
zyxel / zld	-	4.55
zyxel / nsg_firmware	-	1.33
zyxel / nsg_firmware	1.33-patch1	1.33-patch1.x
zyxel / nsg_firmware	1.33	1.33.x

https://www.zyxel.com/support/Zyxel-security-advisory-for-command-injection-vulnerability-of-firewalls.shtml
https://www.zyxel.com/us/en/support/security_advisories.shtml

Vulnerability Database

290,020

CVE-2020-29299