Zyxel Warns of Critical Firewall Issues Due to Faulty Update

Zyxel has issued an urgent advisory regarding a problematic security signature update that is causing significant disruptions to its USG FLEX and ATP Series firewalls. The affected devices are experiencing critical failures, including boot loops, ZySH daemon crashes, and login access issues. Administrators are now being urged to take immediate action to resolve the issue.

What Caused the Problem?

The issue stems from a faulty Application Signature Update that Zyxel rolled out between January 24th and January 25th, 2025. This update was intended to enhance the cybersecurity capabilities of their devices but inadvertently caused system-wide malfunctions. According to Zyxel's advisory, the affected devices include USG FLEX and ATP Series firewalls running ZLD firmware versions with active security licenses.

Devices on the Nebula platform or those in the USG FLEX H (uOS) series remain unaffected, providing some relief to customers using these platforms. Zyxel emphasized that the issue is not related to a Common Vulnerabilities and Exposures (CVE) security flaw but rather a technical failure in the signature update process.

Symptoms of the Issue

Administrators managing the affected devices have reported the following issues:

• Devices entering reboot loops.
• "ZySH daemon is busy" messages appearing in logs.
• 504 Gateway Timeout errors when attempting to access the web GUI.
• High CPU usage causing sluggish performance.
• Errors like "Wrong CLI command" or devices timing out.
• Console access showing coredump messages.

These symptoms not only disrupt network functionality but also leave administrators unable to configure or manage their firewalls remotely.

Recovery Requires Physical Access

Resolving the issue requires on-site intervention, as the recovery process necessitates the use of a console cable (RS232 serial cable) to access the firewall directly. Unfortunately, this means administrators need to physically visit each affected device, which can be especially challenging for organizations with remote or distributed networks.

• Zyxel’s advisory outlines the recovery process in detail, which involves:
• Backing up the firewall’s configuration: Ensuring that all existing settings are preserved before further action.
• Downloading special firmware: Admins must download the recovery firmware provided by Zyxel to address the issue.
• Applying the firmware via the console: Using the serial cable connection to install the special firmware.
• Restoring the configuration: Once the firmware is installed, admins can restore the device settings through the web GUI.

While this solution is guaranteed to resolve the issue, it does require technical expertise and access to the appropriate tools, which may not be readily available to all users.

Zyxel Provides Additional Support

In response to the disruption, Zyxel is taking steps to assist customers. The company is hosting a Microsoft Teams Open Question Session on Saturday, January 25th, from 9:00 AM to 12:00 PM and 1:00 PM to 5:00 PM (GMT +1). During this session, Zyxel representatives will be available to answer questions and guide customers through the recovery process.

Administrators dealing with affected devices are strongly encouraged to attend these sessions or consult Zyxel’s detailed advisory for step-by-step instructions on resolving the problem.

Impact on Businesses

For organizations relying on Zyxel's USG FLEX and ATP Series firewalls, the issue has caused significant disruptions, particularly for those without immediate physical access to their devices. Remote offices, distributed teams, and critical infrastructure setups may face extended downtimes while waiting for on-site recovery.

Additionally, the failure highlights the risks associated with automatic updates, especially for critical network security appliances. While signature updates are essential for defending against emerging threats, this incident serves as a reminder of the importance of rigorous testing before rolling out updates to production environments.

Key Lessons for Administrators

Enable Backup and Redundancy: Always ensure that configurations are backed up before applying updates to critical systems. This minimizes the impact of unforeseen issues.

Test Updates in Staging Environments: If possible, test updates in a non-production environment to identify potential conflicts or bugs.

Monitor Vendor Advisories: Keeping up with vendor communications can help administrators quickly respond to emerging issues.

Have Emergency Recovery Tools Available: Ensure that necessary tools, such as console cables, are readily available for on-site troubleshooting.

Zyxel’s Reputation at Stake

While Zyxel has been transparent about the issue and is offering support to affected customers, this incident could have lasting implications for its reputation. Network administrators and organizations might reconsider their reliance on Zyxel devices, especially for mission-critical infrastructure, in light of these disruptions.

The company’s swift response and ability to assist customers will play a crucial role in rebuilding trust. Moreover, Zyxel may need to implement additional quality assurance measures to prevent similar issues from occurring in the future.

Final Thoughts

The faulty update affecting Zyxel’s USG FLEX and ATP Series firewalls underscores the delicate balance between enhancing security and maintaining system stability. While updates are critical for defending against evolving cyber threats, they must be rigorously tested to avoid disrupting operations.

Administrators using Zyxel devices should act promptly to resolve the issue and explore long-term measures, such as staging updates and enabling MFA for added security. Zyxel, on the other hand, must learn from this incident to improve its update deployment process and provide more seamless recovery options in the future.

By addressing these challenges head-on, both Zyxel and its customers can work toward ensuring a more resilient and secure network infrastructure.