Zyxel VPN Series [ZTP Process] - ZTP Mode is already enabled

Zyxel has provided information regarding the potential consequences of using unpatched VPN Series devices with version 5.37 Patch 0 or older.

Starting from July 2023, we have made available the 5.37 Patch 1 Firmware.

We have received reports from a limited number of customers regarding issues with outdated device maintenance. These issues are specifically related to the "ZTP Mode is already enabled" message and failed GUI login.

These issues may be connected to previously addressed CVE vulnerabilities from last year. Please note that ZLD5.37 Patch 1 (July 2023) is no longer susceptible to the following CVE references: 
CVE-2023-33012

Zyxel highly recommends that administrators promptly upgrade their firmware upon release to address potential security vulnerabilities within their network. This is considered a fundamental procedure for firewall administrators.

 

If you encounter the ZTP Process error message, it is imperative to upgrade to an advanced firmware fix that we provide as a goodwill solution. This upgrade will assist you in preventing a complete reset and recovery of the device. We kindly request that you promptly proceed with the upgrade by using the FTP protocol or a console connection.

Please refer to the Firmware Recovery Process VPN Series Firewalls for further instructions.
(Console Recovery)

Please refer to the article titled "Step 8" for FTP recovery. 
(Please note that FTP must be enabled in the local area network beforehand, or you will need to use Console Recovery.)

VPN Series - How to Update/Upgrade Firmware

Both recovery processes must be performed within a local area network (LAN) environment as wide area network (WAN) recovery is not supported.


The VPN Series Recovery Firmware can be downloaded from the following link:
Download for VPN50
Download for VPN100
Download for VPN300
Download for VPN1000
 

Customers using Device HA can attempt an FTP upgrade, but it is important to note that the HA solution may require rebuilding.
Firewall High Availability [HA Pro] - Device HA Pro redeploy

To enhance the future protection of your device, we recommend reviewing our comprehensive knowledgebase article on 
[BEST PRACTICE] Firewall Maintenance, Config Protection, and CVE Attack Mitigation.
FAQ Section

I am currently using version 5.37 Patch 1. Will I still be impacted?

No, consistently updating the firmware to version 5.37 Patch 1 will ensure you are not affected.
Which version resolves the issue if I have already been affected?

You must have version 537"XXXX"1ITS-24WK05s-r112483 installed on your device.
 

Is there a way to remotely recover this device or can Zyxel assist in recovering the device?

No, it is necessary to be physically present at the location or have local network access, such as through the use of the Teamviewer tool, to attempt recovery via FTP. If this method is unsuccessful, it will be necessary to perform a console recovery on-site.

Will performing a reset resolve the issue?

Yes, if you do not wish to upgrade the firmware via FTP, you can reset the device to its default configuration. It is important to note that this action will delete your data, so it should only be executed if you have a backup. Additionally, please ensure that you immediately upgrade the firmware to version 5.37 Patch 1 following the reset.

Are only the VPN series affected?

Yes, only VPN series are affected in this case.

 

Articles in this section

Was this article helpful?
1 out of 1 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.