FLEX H Firmware Boot Issues

m0x7e

There is a security flaw in the current firmware of my device (and most probably other devices of this series).

When the device is rebooted, the configuration on the interfaces is applied and for round about one minute, the configured Firewall rules are not applied.

 

I realized that when rebooting my device with service PING not allowed towards the Device, but the PING went through during bootup.

Even worse is, that for example NAT rules are anyway applied - and then not filtered.

 

In combination with a Denial of Service Attack this will lead to information exposure.

 

Tested Device:

V1.37(ABXF.1) running on USG FLEX 100H.

 

Suggested Remediation: A general Deny ALL must be applied as long as the bootup is not completely finished.

I wrote this first to the security mail address, but they redirected me here. :)

Zyxel_Melen

Hi @m0x7e

Thanks for your input. I'm clarifying with our team on it. I will update you once I get further information.

Zyxel_Melen

Hi @m0x7e

We tried to replicate this issue with our configuration and there's no issue as yours. Could you help to provide your configuration for us to investigate it? I have sent you a private message and you may share the configuration in there.

nicolas2ker

Hello Melen,

Thank you for your reply, but I'm surprised that when I post a message, it's not stored anywhere and there's no trace of it in either the outgoing mail folder or the queue. To make sure I sent it, I did indeed try two or three times to be certain. I apologize for the duplicates.

Regarding the secure-policy alert notification, I can assure you that I haven't made any changes to the rules, and it's related to versions 5.40 to 5.42 because 5.41 was unstable on the 100W. It no longer displays ports on the 100 model. I had hoped that the 100 firmware would be almost identical to the 100W, apart from the hardware.

Furthermore, for cybersecurity monitoring, the current method of retrieving emails is clearly not optimal. But with the automation program (local FTP/SFTP), to be reliable, I'm unable to retrieve files from, for example, /usbstorage/centralized_log/2026-03-28.log. For me, this is very inconvenient.

Furthermore, I analyzed this log specifically regarding the missing port issue, but it's displayed further down, outside the scope, with the label: ,others:47.

So, all of this becomes convoluted and requires compilation for security analysis. Do you have a reliable and secure solution for downloading the logs without using a GUI?

Router(config)# dir /usbstorage/centralized_log/2026-03-28.log

File Name Size Modified Time

===============================================================================

2026-03-28.log 55869571 2026-03-28 23:59:57

Router(config)# Router(config)# copy /usbstorage/centralized_log/2026-03-28.log /tmp/2026-03-28_000000.log

% copy across different directories prohibitretval = -39001ERROR: Operation is prohibited.Router(config)#

Thanks in advance your help.

King regards,

Nicolas