USG FLEX / ATP Series - Recovery Steps for Application Signature Issue on January 24th 2025

Have more questions? Submit a request

Please read the complete article carefully before driving on-site and ensure you have the required cable!

We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems. The system LED may also flash. Please note this is not related to a CVE or security issue.

The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions.

Device Error: Wrong CLI command, device timeout or device logout.
Unable to login to ATP/USG FLEX via web GUI: 504 Gateway timeout.
CPU usage is high.
In Monitor > Log, the message "ZySH daemon is busy" appeared.
Unable to enter any commands on console.
Coredump messages appear on console.


Which devices are affected?

Devices with active security licenses on USG FLEX or ATP Series (ZLD Firmware Versions) and dedicated signature updates in On-premise/Standalone Mode (signature updated 1/24 to 1/25 in the night). 
Devices on Nebula platform or USG FLEX H (uOS) series are NOT affected.

How did I know if I am NOT affected?
 

Go to CONFIGURATION > Licensing > Signature Update and check the App-Patrol signature. 
Make sure the version is 1.0.0.20250102.0 or 1.0.0.20241205.0

 

image.png

Only Version "1.0.0.20250123.0" is affected and need follow SOP to recovery or MANUALLY downgrade by GUI if you still have access.

You are also NOT affected if you are: 

- Using Nebula
- Using USG FLEX H Series
- Have no active security licenses on the device

The Firmware Version is UNRELATED to the issue, only the App Patrol version is the decision maker.


The only fully verified solution is as follows; please follow these steps:

Note for Device HA:
Both devices needs to be recovered using the SOP in this article and advance by following this HA redeploy.

This recovery requires a console cable and must be done on-site. While it's not ideal, it's the only guaranteed solution for this issue.

A recovery by SSH, FTP or Webinterface isn´t doable.


Preparation of Recovery

The first mandatory thing you will need is a Console / RS232 cable to start with the recovery. 
The recovery needs to be done On-Site and is not doable by a Remote Session.
CLI via Console Cable [Zyxel Devices] - Console to Access the Serial Port & Use Debug level 8 [Putty & TeraTerm] Baud Rate: 115200!

Step 1: Backup Configuration 
(only need to be execute if you don´t have a local backup)

1) Connect the console cable as explained in "Preparation of Recovery"

The issue could look like this, but may also show up different.
 


 

2) Restart the device and enter debug mode by typing on the keyboard, i.e., Enter key multiple times when ready "Enter Debug Mode....."

3) Enter atkz -b
4) Enter atgo
image.png

 

5) Currently, your ATP/FLEX is reset to default but the startup-config.conf is already backed up. Connect your computer to the ATP/USG FLEX's lan1 to get DHCP IP address 192.168.1.33 directly.

6) On your computer, open cmd and enter ftp 192.168.1.1. Login with admin and password 1234.
Enter cd /conf and get startup-config-back.conf to download the backup file.

image.png

You can find the backup file on your computer.
 

image.png

Step 2: Recovery 
(Delete the Signature) by adding a new Firmware via Console
Step 1-12 is required for full recovery!

[IF YOU ARE NOT AFFECTED YOU DON`T NEED UPGRADE ANY FIRMWARE! THIS IS ONLY A RECOVERY FIRMWARE TO DELETE BAD SIGNATURE FORM PARTITION!]

A special firmware is required for recovery, please proceed with download!

Download All Model Firmware Package HERE
If you only need a single model file, our Community Forum have this separated HERE

1) Restart Firewall

2) Press any key to enter debug mode

mceclip4.png


3) Enter the following command (Set FTP Server)

atkz –f –l 192.168.1.1 

4) Enter the following command (Reboot to FTP Mode)

 atgof 

5) Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254
(Disable WIFI could help in some scenarios)

image.png


6) Connect your computer to the ATP/USG FLEX's the first Ethernet port. For example, the first Ethernet port of USG FLEX 500 is P2.

7) Use an FTP client on your computer to connect to ATP/USG FLEX. This example uses the ftp command in the Windows command prompt. The ATP/USG FLEX’s FTP server IP address for firmware recovery is 192.168.1.1

8) Log in without user name (just press enter)

image.png

9) Set the transfer mode to binary "bin" and transfer the firmware file from your computer to ATP/USG FLEX.

Copy the path of firmware after you downloaded it. Make sure to unzip it and use the right code i.e. ABUJ = USG FLEX 500.

image.png

10) The console session displays “Firmware received” after the FTP file transfer is complete. Then you need to wait while ATP/USG FLEX recovers the firmware (this may take up to 10 minutes). The console session displays “done” when the firmware recovery is complete. Then the ATP/USG FLEX automatically restarts.

image.png

11) Login to ATP/USG FLEX's web GUI, upload and apply the backup configuration file to restore back to working scenario. Make sure to change PC IP address after upload is done correctly, as Firewall can be access by IP from backup config file again.

Note: If you have already enabled 2FA authentication for the admin account and would like to bypass it during the recovery procedure, please disable or remove the 2FA-related configuration from the backup configuration file before applying it. This ensures you can log in to the firewall normally and bypass the 2FA authentication process.

12) Update App-Patrol signature to 1.0.0.20250102.0 manually

Go to CONFIGURATION > Licensing > Signature Update and update App-Patrol signature manually. 
Make sure the version is 1.0.0.20250102.0 or 1.0.0.20241205.0.
 

image.png

 

FAQ Section
 

1.) Does a recovery by FTP works?

No it can´t work.

2.) Is On-Site required?

Yes, this is 100% working and suggest way.

3.) Is there any other way I can do this remote?

All remote solutions could have site-affect of other issues. For example you may can´t use a partition or Firmware Upload in future. We suggest to follow our steps above. However, some customer report they could recover the device with "Reboot", "Partition Changes", Downgrade Signature through GUI after Reset device. The chance is very rare and as solution could lost config files or not working in 99% of cases or simply make device unfunctional unexpected, we can´t share any use case for this.

4.) How long this issue exist?

Customer who had active Security license and setup Application Patrol to daily "in the night" from time point of view, where affected. Then the signature load for 3 hours into the devices and a reboot or high logs could bring the device into this issue.

5.) Why is Nebula and USG FLEX H not affected?

USG FLEX H use different Firmware Version (uOS) and have more verification scenarios in uOS Firmware for signature. Also Nebula have advanced "Remote Managed" protection features on hand. 

6.) Why i need upgrade the firmware when I am affected and why I can´t do it remote?

The Signature Issue is creating a lot of logs, this cause the firmware can´t be uploaded remote and a recovery step by Firmware Recovery (which is part of every Release Note document too) need to be executed. With the combination of "reset" after backup config, then execute the firmware upgrade via console, the related signature and log can be clean-up. Via Remote this is not doable, as there is not enough free space to even upload the firmware. A Reset from device only delete a config file, not the other partition saved information i.e. certificates. Where the datecode firmware clean up the issues partition area.

7.) What happens if I recovered the device but not installed the fix firmware?

Then you can only use the Partition you are on right now (Running) the Standby Partition is full and can´t be used anymore unless recovery is executed. So Firmware upgrades need to be apply to Running partition always.


If you are stuck with the Recover SOP by any needs, feel free to be in touch with our Support Team to get assistance in your local language - How to contact the Support Team?

Articles in this section

Was this article helpful?
3 out of 9 found this helpful
Share