CVE-2019-12581 Scanner

Zyxel ZyWall, USG, and UAG devices are commonly used for secure network connectivity for small to medium-sized businesses and enterprises. They provide firewall, VPN, and content filtering capabilities to ensure secure connectivity through various types of networks. These devices function as a gateway between the internal and external network, thus ensuring the security of sensitive data and preventing unauthorized access.

However, a critical vulnerability, CVE-2019-12581, has been identified that affects these devices. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML through the "err_msg" parameter in the free_time_failed.cgi program. This injection allows hackers to execute potentially malicious code on the targeted devices and gain unauthorized access to the network and its sensitive data.

Vulnerable Devices and Versions

When exploited, this vulnerability can lead to the loss of confidential business information, financial loss, and severe damage to the business's reputation. Moreover, there is a risk of legal action taken against the organization that fails to protect its data and clients.

s4e.io offers pro features that enable businesses to easily and quickly learn about vulnerabilities in their digital assets. With the platform's comprehensive vulnerability assessment tools, organizations can identify, prioritize, and mitigate threats to their networks and devices. By utilizing the various security features offered by s4e.io, businesses can ensure that they have taken the necessary steps to protect their sensitive data and maintain their reputation.

REFERENCES

• https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss/
• https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-in-zxel-zywall/index.html
• https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml
• https://www.zyxel.com/us/en/