Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-42058

CVE-2024-42058: Zyxel ZLD DoS Vulnerability

CVE-2024-42058 is a null pointer dereference DoS vulnerability in Zyxel ZLD firmware affecting ATP, USG FLEX, and USG20-VPN series. Unauthenticated attackers can cause denial of service. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2024-42058 Overview

CVE-2024-42058 is a null pointer dereference vulnerability [CWE-476] affecting multiple Zyxel firewall product lines running ZLD firmware. The flaw resides in packet handling logic and can be triggered by an unauthenticated remote attacker who sends crafted packets to a vulnerable device. Successful exploitation results in a denial-of-service (DoS) condition, disrupting firewall availability and any traffic flowing through the appliance. The affected lines include the ATP series, USG FLEX series, USG FLEX 50(W) series, and USG20(W)-VPN series. Zyxel published a coordinated advisory on September 3, 2024, addressing this issue alongside other firewall vulnerabilities.

Critical Impact

An unauthenticated attacker on the network can crash Zyxel firewalls by sending crafted packets, taking perimeter security devices offline and severing protected network connectivity.

Affected Products

  • Zyxel ATP series firmware versions V4.32 through V5.38 (ATP100, ATP100W, ATP200, ATP500, ATP700, ATP800)
  • Zyxel USG FLEX series firmware versions V4.50 through V5.38 (USG FLEX 100, 100AX, 100W, 200, 500, 700) and USG FLEX 50(W) firmware V5.20 through V5.38
  • Zyxel USG20(W)-VPN series firmware versions V5.20 through V5.38

Discovery Timeline

  • 2024-09-03 - Zyxel publishes security advisory covering multiple firewall vulnerabilities
  • 2024-09-03 - CVE-2024-42058 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-42058

Vulnerability Analysis

The vulnerability is classified as a null pointer dereference [CWE-476] within ZLD firmware shared across Zyxel's ATP, USG FLEX, and USG20(W)-VPN firewall lines. The defect lies in network-facing packet processing code that dereferences a pointer without confirming it was successfully initialized. When the firewall receives a specifically crafted packet, the affected code path reaches the dereference with a null pointer value, triggering an immediate process crash on the appliance.

The impact is restricted to availability. Confidentiality and integrity are not affected, and the attacker does not gain code execution or data access. However, because the affected devices function as perimeter firewalls and VPN concentrators, an outage interrupts all traffic policy enforcement, site-to-site VPN tunnels, and remote access sessions traversing the appliance. The EPSS probability for this CVE is 0.621% (45th percentile).

Root Cause

The root cause is missing validation of a pointer prior to dereference within ZLD packet handling logic. The firmware assumes a structure or buffer pointer is non-null after a parsing or allocation step, but specific malformed input causes that step to return null without the calling code checking the result. Zyxel has not published code-level details of the affected function.

Attack Vector

The attack requires only network reachability to a vulnerable management or service interface on the firewall. No authentication, user interaction, or local access is needed. An attacker sends one or more crafted packets to the device, and the targeted process terminates. Because ZLD-based firewalls are commonly deployed at the network edge, the attacker can reach the device directly across the internet when management or VPN services are exposed.

No public proof-of-concept exploit code or exploitation in the wild has been reported. See the Zyxel Security Advisory for vendor-published technical context.

Detection Methods for CVE-2024-42058

Indicators of Compromise

  • Unexpected reboots, watchdog-triggered restarts, or service crashes recorded in ZLD system logs without a corresponding administrative action.
  • Sudden loss of VPN tunnels, dropped management sessions, or interface flaps on affected ATP, USG FLEX, or USG20(W)-VPN devices.
  • Inbound traffic patterns containing malformed or unusual packets immediately preceding a device outage.

Detection Strategies

  • Monitor syslog output from Zyxel firewalls for repeated daemon termination, kernel panic, or crash dump events shortly after external packet bursts.
  • Inspect upstream router or IDS telemetry for anomalous packets directed at firewall management interfaces or VPN listeners.
  • Correlate device uptime resets against firmware version inventory to identify appliances still running ZLD V5.38 or earlier within the affected ranges.

Monitoring Recommendations

  • Enable remote syslog forwarding from all Zyxel firewalls to a centralized log platform and alert on availability-related events.
  • Track device reachability with active health checks against management and VPN endpoints, alerting on sub-minute outages.
  • Continuously inventory firewall firmware versions and flag any device running a version listed in the Zyxel advisory.

How to Mitigate CVE-2024-42058

Immediate Actions Required

  • Upgrade affected ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN appliances to the fixed ZLD firmware version specified in the Zyxel advisory.
  • Restrict access to firewall management interfaces so they are not reachable from untrusted networks, using ACLs or out-of-band management.
  • Audit which WAN-facing services (VPN, web management, SSL VPN) are exposed and disable any that are not required.

Patch Information

Zyxel addressed the vulnerability in firmware updates released alongside the September 3, 2024 advisory. Administrators should consult the Zyxel Security Advisory for Multiple Vulnerabilities in Firewalls for the exact fixed firmware version applicable to each model and apply it through the standard ZLD upgrade workflow.

Workarounds

  • Limit source addresses permitted to reach management and VPN services using policy ACLs until firmware can be applied.
  • Place affected appliances behind upstream filtering that drops malformed packets directed at firewall service ports.
  • Schedule failover to a redundant peer where high-availability pairs are deployed, so a crash does not produce a full outage during patching.
bash
# Example: restrict management access on ZLD until patched
configure terminal
ip http server table rule append
  source 10.0.0.0/24
  service HTTPS
  action accept
exit
ip http server table rule append
  source any
  service HTTPS
  action deny
exit
write

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne