How to solve the issue "ZTP is already enabled" on VPN series?

Zyxel_Emily

Symptom:

Unable to access the web GUI. Access the web GUI but the page "ZTP is already enabled" appears. The device is on-premises mode and never deployed using ZTP.

Q1. What are the impact model and version for this issue?

Affected model	Affected version
VPN50	5.00 through 5.36(ABHL2)C0
VPN100	5.00 through 5.36(ABFV.2)C0
VPN300	5.00 through 5.36(ABFC.2)C0
VPN1000	5.00 through 5.36(ABIP.2)C0

Q2. What are the vulnerability details?

These issues may be connected to previously addressed CVE vulnerability CVE-2023-33012. Please note that ZLD5.37 Patch 1 (July 2023) is no longer susceptible to the CVE reference: CVE-2023-33012.

Q3. What should I do if "ZTP is already enabled" on VPN series?

Upgrade the affected VPN device to the following recovery version via FTP to unlock ZTP status.

How to update the firmware by FTP?

Model	Recovery version to unlock ZTP status
VPN50	537ABHL1ITS-24WK05s-r112483.bin
VPN100	537ABFV1ITS-24WK05s-r112483.bin
VPN300	537ABFC1ITS-24WK05s-r112483.bin
VPN1000	537ABIP1ITS-24WK05s-r112483.bin

Q4. What should I do for unaffected VPN devices?

For unaffected VPN devices, make sure they are already upgraded to the latest official version 5.37 Patch 1. In security policy, we also suggest you NOT allow all source addresses to access HTTPS from WAN to ZyWALL. Create another security policy rule to allow trusted source IP address to have the access privilege from WAN to ZyWALL.

SovSibir

I wonder why you need to download from an unofficial site? There is no such firmware update on the official website.

Zyxel_Cooldia

This issue is not encountered by all devices; therefore, it is not suitable to be placed on the official site for everyone to update.