Unrated severityNVD Advisory· Published Dec 6, 2022· Updated Apr 23, 2025

CVE-2022-40603

Description

A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in Zyxel firewall CGI program allows attackers to trick users into visiting crafted URLs to steal browser-based information.

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the CGI program of certain Zyxel firewall series. Affected firmware versions include ZyWALL/USG series ZLD 4.30 through 4.72, VPN series ZLD 4.30 through 5.31, USG FLEX series ZLD 4.50 through 5.31, and ATP series ZLD 4.32 through 5.31 [1]. The vulnerability allows an attacker to inject malicious scripts via a crafted URL.

Exploitation

An attacker must craft a URL containing the XSS payload and trick a user into visiting it (e.g., via phishing). No special network position or authentication is required beyond the user's interaction. Once the victim accesses the malicious URL, the CGI program processes the payload, and the script executes in the context of the user's browser session.

Impact

If the malicious script executes on the victim's browser, the attacker can gain access to sensitive browser-based information, such as session cookies, authentication tokens, or other data accessible to the same origin. The attacker's access is limited to the victim's privilege level within the firewall's web interface.

Mitigation

Zyxel has released patches for all affected series: ATP, USG FLEX, and VPN firmware updated to ZLD V5.32; ZyWALL/USG firmware updated to ZLD V4.73 [1]. Users are advised to apply the updates. No workarounds have been provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

Zyxel security advisory for XSS vulnerability in firewalls | Zyxel Networks

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Zyxel/ZyWALL/USG seriesllm-fuzzy2 versions
>=4.30 <=5.31+ 1 more
- (no CPE)range: >=4.30 <=5.31
- (no CPE)range: 4.30 through 4.72
Zyxel/ATP seriescpe-rescue
Range: 4.32 through 5.31
Zyxel/USG FLEX seriescpe-rescue
Range: 4.50 through 5.31
Zyxel/VPN seriescpe-rescue
Range: 4.30 through 5.31

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewallsmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000