“We’ve found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems – Zyxel reports. – The system LED may also flash. Please note this is not related to a CVE or security issue. “
According to Zyxel, the issues are caused by a glitch in the Application Signature Update released on the night of January 24-25, 2025.
Devices that have loaded the flawed update can spit out a wide range of errors, including inability to login to ATP/USG FLEX via web GUI (504 Gateway timeout), high CPU usage, inability to enter any commands in the console, “ZySH daemon is busy” messages, Coredump messages in the console, etc.
The flaw only affects USG FLEX and ATP series firewalls (ZLD firmware versions) with active security licenses. Devices on the Nebula platform and USG FLEX H (uOS) series are not affected.
According to Born City, recovery requires physical access to the affected device that must be connected via an RS232 cable.
“This recovery requires a console cable and must be done on-site. While it’s not ideal, it’s the only guaranteed solution for this issue.” – Zyxel experts say.
Recovery involves a sequence of steps, including configuration backup, downloading and installing special firmware, and connecting via the web interface to restore the saved configuration file.
The above steps are described in detail in the manual, and admins are strongly recommended to review it prior to recovery.
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →