CVEs: CVE-2021-4029, CVE-2021-4030
Summary:
Zyxel has released a patch addressing command injection and cross-site request forgery vulnerabilities in the Armor Z2 home router. Users are advised to install it for optimal protection.
What are the vulnerabilities?
A command injection vulnerability in the CGI program of Armor Z1 and Z2 home routers could allow a local attacker to execute arbitrary OS commands on a vulnerable device via a LAN interface.
A cross-site request forgery vulnerability in the HTTP daemon of Armor Z1 and Z2 home routers could allow an attacker to execute arbitrary commands if they coerce or trick a local user into visiting a compromised website with malicious scripts.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified only Armor Z2 as within its warranty and support period. We have released a firmware patch to address these issues, as shown in the table below.
|
Affected model |
Patch availability |
|
Armor Z2 (NBG6817) |
Armor Z1 (NBG6816) entered the end of life years previous; therefore, firmware updates are no longer supported. We recommend that users with the Armor Z1 replace it with a newer-generation product, which typically comes with improved designs that better suit current applications.
Acknowledgment:
Thanks to Exodus Intelligence for reporting the issues to us.
Revision history
2022-02-22: Initial release