Zyxel is warning that a bad security signature update is causing critical errors for USG FLEX or ATP Series firewalls, including putting the device into a boot loop.
“We’ve found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems,” warns a new Zyxel advisory.
“The system LED may also flash. Please note this is not related to a CVE or security issue.”
Zyxel says the issues are caused by a failure in an Application Signature Update for its cybersecurity features that was pushed out on 1/24 through 1/25 at night.
Devices that received the faulty update are now experiencing a wide range of issues, including:
- Device Error: Wrong CLI command, device timeout or device logout.
- Unable to login to ATP/USG FLEX via web GUI: 504 Gateway timeout.
- CPU usage is high.
- In Monitor > Log, the message “ZySH daemon is busy” appeared.
- Unable to enter any commands on console.
- Coredump messages appear on console.
Zyxel says only USG FLEX or ATP Series (ZLD Firmware Versions) firewalls with active security licenses are impacted. Devices on the Nebula platform or USG FLEX H (uOS) series are not affected.
As first reported by Born City, the only way to fix the issue is to have physical access to the firewall and to connect to the console via an RS232 serial cable.
“This recovery requires a console cable and must be done on-site. While it’s not ideal, it’s the only guaranteed solution for this issue,” reads the advisory.
Source: Zyxel
Admins will now need to conduct a series of steps to restore the firewall, including backing up the configuration, downloading and applying a special firmware, and then connecting via the web GUI to restore the backed-up configuration file.
Zyxel has shared detailed steps in its advisory, and it is highly recommended that admins review them before attempting to recover devices.
For customers who have further questions or need assistance, Zyxel will be hosting a Microsoft Teams Open Question Session on Saturday January 25th from 9am – 12pm and 1pm – 5pm (GMT +1).
BleepingComputer has contacted Zyxel with questions about the incident, but no reply was immediately received.