Zyxel Threat Intelligence (Release Date: 2022-05-01)

zyxel_Lin Posts: 73  Zyxel Employee
First Anniversary Friend Collector

ZyWALLs latest virus/malware signature update protects you against more malware and threats. See how ZyWALL defends against these threats.

Part 1 – Virus/Malware Spotlight

Part 2 – Intrusion Detection Highlight

Part 3 – Application Patrol Highlight

This article focuses on Win32.Worm.Brontok. Part 2 and 3 will be included in the April Monthly Threat Report covering Intrusion Detection and Application Patrol update. You can view more about their details, history, and signature information in Zyxel Encyclopedia.

Part 1 Virus/Malware Spotlight
(Number of updated Virus/Malware signatures:62,100)

Zyxel keeps malware detection up-to-date. Currently, Zyxel detects and removes the threats including Win32.Worm.Rimecud and Win32.Worm.Brontok.

Highlight (partial)

Name: Win32.Worm.Rimecud

WormW32/Rimecud is a family of worms that typically spread copies of itself by sending them out as email attachments or removable drives. A remote attacker can access and control the system once Rimecud variants install a backdoor program onto an infected machine.

Name: Win32.Worm.Brontok

Worms automatically spread to other PCs via removable media such as USB thumb drives or through email. It will terminate certain applications immediately and disables some features of your operating system. Symptoms from this malware may include the termination of applications such as CMD and regedit.

Processes with the following strings are terminated by this malware:


The malware will not perform any system changes if its filename is any of the following: AutoPro.exe, mdefault.exe, mcagent.exe, mcshield.exe (Source: f-secure)

Geographical distribution of attacks by the Email-Worm.Win32.Brontok family

Geographical distribution of attacks during the period from 01 February 2016 to 01 February 2017, Kaspersky.

Part 2 Intrusion Detection 
(Cover Total: 5537/Updated: 18)


Base Score: 9.8 high

ZyXEL NAS weblogin.cgi OS Command Injection -1

Multiple Zyxel network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. Zyxel NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the Zyxel device. Although the web server does not run as the root user, Zyxel devices include a setup ID utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable Zyxel device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any Zyxel device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. (Source: NIST)


Base Score: 10.0 high

Apache Log4j JndiManager JNDI Injection RCE -1

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (Source: NIST)

Part 3 Application Patrol
(Added Application: 6/ All Application: 3878)

Managing your licenses for your devices has never been easier, the Marketplace is now open for convenient and secured purchasing of licenses. Here are the three major benefits you get as a customer when using the Marketplace:

  • Get immediate license renewal
  • Avoid incorrect license(s) purchased with our filtered product listing
  • Review your device and license status online