Zyxel security advisory for pre-configured password vulnerability of LTE3301-M209

Zyxel security advisory for pre-configured password
vulnerability of LTE3301-M209
CVE: CVE-2022-40602

Summary
Zyxel has released a patch for its LTE indoor router LTE3301-M209 to address a
pre-configured password vulnerability. Users are advised to install the patch for
optimal protection.

What is the vulnerability?
A flaw in the previous LTE3301-M209 firmware could allow a remote attacker to
access the device using an improper pre-configured password if an authenticated administrator has enabled the remote administration feature.

What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve found that the root cause existed in pre-configured code provided by our vendor and affected only one product 
within its vulnerability support period. We’ve released a firmware patch to
address the issue:

LTE3301-M209 V1.00(ABLG.4)C0 and earlier V1.00(ABLG.6)C0
Please note that the LTE3301-Plus currently on the market is NOT affected
because it is built on a different code base.

If an on-market product is not listed above, it is NOT affected.

Do you have a question?
Please get in touch with us.

Acknowledgment
Thanks to RE-Solver for reporting the issue to us.
Revision history
2022-11-22: Initial release.