CVE-2022-0910

Name: CVE-2022-0910
Creator: NVD / NIST
Published: 2022-05-24T03:15:09.15+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.66%

Last modified Jun 17, 2026

CVE-2022-0910 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.. EPSS estimates a 0.66% chance of exploitation in the next 30 days.

Description

A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.66%

46.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Zyxel	Vpn100 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn1000 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn300 Firmware	>= 4.32, <= 5.21
Zyxel	Vpn50 Firmware	>= 4.32, <= 5.21
Zyxel	Atp100 Firmware	>= 4.32, <= 5.21
Zyxel	Atp100w Firmware	>= 4.32, <= 5.21
Zyxel	Atp200 Firmware	>= 4.32, <= 5.21
Zyxel	Atp500 Firmware	>= 4.32, <= 5.21
Zyxel	Atp700 Firmware	>= 4.32, <= 5.21
Zyxel	Atp800 Firmware	>= 4.32, <= 5.21
Zyxel	Usg 110 Firmware	>= 4.32, <= 4.71
Zyxel	Usg 1100 Firmware	>= 4.32, <= 4.71
Zyxel	Usg 1900 Firmware	>= 4.32, <= 4.71
Zyxel	Usg 20w Firmware	>= 4.32, <= 4.71
Zyxel	Usg 20w-Vpn Firmware	>= 4.32, <= 4.71
Zyxel	Usg 2200-Vpn Firmware	>= 4.32, <= 4.71
Zyxel	Usg 310 Firmware	>= 4.32, <= 4.71
Zyxel	Usg 40 Firmware	>= 4.32, <= 4.71
Zyxel	Usg 40w Firmware	>= 4.32, <= 4.71
Zyxel	Usg 60 Firmware	>= 4.32, <= 4.71
Zyxel	Usg 60w Firmware	>= 4.32, <= 4.71
Zyxel	Usg Flex 100 Firmware	>= 4.50, <= 5.21
Zyxel	Usg Flex 100w Firmware	>= 4.50, <= 5.21
Zyxel	Usg Flex 200 Firmware	>= 4.50, <= 5.21
Zyxel	Usg Flex 500 Firmware	>= 4.50, <= 5.21
Zyxel	Usg Flex 700 Firmware	>= 4.50, <= 5.21
Zyxel	Usg200 Firmware	>= 4.32, <= 4.71
Zyxel	Usg20 Firmware	>= 4.32, <= 4.71
Zyxel	Usg210 Firmware	>= 4.32, <= 4.71
Zyxel	Usg2200 Firmware	>= 4.32, <= 4.71
Zyxel	Usg300 Firmware	>= 4.32, <= 4.71
Zyxel	Usg310 Firmware	>= 4.32, <= 4.71

References

Timeline

Published: May 24, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-0910?

How severe is CVE-2022-0910?

CVE-2022-0910 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.66% probability of exploitation in the next 30 days.

How do I fix CVE-2022-0910?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-0910?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST