Zyxel firewalls reboot due to flawed update

📟 News

Date: 27/01/2025

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into infinite reboot loops.

“We’ve found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems – Zyxel reports. – The system LED may also flash. Please note this is not related to a CVE or security issue. “

According to Zyxel, the issues are caused by a glitch in the Application Signature Update released on the night of January 24-25, 2025.

Devices that have loaded the flawed update can spit out a wide range of errors, including inability to login to ATP/USG FLEX via web GUI (504 Gateway timeout), high CPU usage, inability to enter any commands in the console, “ZySH daemon is busy” messages, Coredump messages in the console, etc.

The flaw only affects USG FLEX and ATP series firewalls (ZLD firmware versions) with active security licenses. Devices on the Nebula platform and USG FLEX H (uOS) series are not affected.

According to Born City, recovery requires physical access to the affected device that must be connected via an RS232 cable.

“This recovery requires a console cable and must be done on-site. While it’s not ideal, it’s the only guaranteed solution for this issue.” – Zyxel experts say.

Recovery involves a sequence of steps, including configuration backup, downloading and installing special firmware, and connecting via the web interface to restore the saved configuration file.

The above steps are described in detail in the manual, and admins are strongly recommended to review it prior to recovery.

Related posts:
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.01.29 — Google to disable Sync in older Chrome versions

Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update

Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…

Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies

GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI

The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…

Full article →