Cybersecurity specialists report the detection of two critical vulnerabilities in Zyxel ZyWALL VPN2S, a popular firewall solution. According to the report, the successful exploitation of these flaws would allow the deployment of various cyberattack variables.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-35027: An input validation flaw when processing directory cross-streams on the web server would allow remote threat actors to send specially crafted HTTP requests to access arbitrary files on the affected system.

This is a flaw of medium severity and received a CVSS score of 6.5/10.

CVE-2021-35028: Incorrect input validation in the CGI program will allow a local user to pass specially crafted data to the affected application and execute arbitrary commands on the target system.

The flaw received a CVSS score of 6.8/10 and its exploitation would result in the total compromise of the affected system.

According to the report, the reported flaws exist in ZyWALL VPN2S v1.12 versions.

Only one of these flaws can be exploited remotely, however, users of affected deployments should not miss the updates, which are already available. Cybersecurity experts have not detected exploitation attempts in real scenarios.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.