Zyxel warns of bad signature update causing firewall boot loops
Zyxel is warning that a bad security signature update is causing critical errors for USG FLEX or ATP Series firewalls, including putting the device into a boot loop.
"We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," warns a new Zyxel advisory.
"The system LED may also flash. Please note this is not related to a CVE or security issue."
Zyxel says the issues are caused by a failure in an Application Signature Update for its cybersecurity features that was pushed out on 1/24 through 1/25 at night.
Devices that received the faulty update are now experiencing a wide range of issues, including:
- Device Error: Wrong CLI command, device timeout or device logout.
- Unable to login to ATP/USG FLEX via web GUI: 504 Gateway timeout.
- CPU usage is high.
- In Monitor > Log, the message "ZySH daemon is busy" appeared.
- Unable to enter any commands on console.
- Coredump messages appear on console.
Zyxel says only USG FLEX or ATP Series (ZLD Firmware Versions) firewalls with active security licenses are impacted. Devices on the Nebula platform or USG FLEX H (uOS) series are not affected.
As first reported by Born City, the only way to fix the issue is to have physical access to the firewall and to connect to the console via an RS232 serial cable.
"This recovery requires a console cable and must be done on-site. While it's not ideal, it's the only guaranteed solution for this issue," reads the advisory.

Admins will now need to conduct a series of steps to restore the firewall, including backing up the configuration, downloading and applying a special firmware, and then connecting via the web GUI to restore the backed-up configuration file.
Zyxel has shared detailed steps in its advisory, and it is highly recommended that admins review them before attempting to recover devices.
For customers who have further questions or need assistance, Zyxel will be hosting a Microsoft Teams Open Question Session on Saturday January 25th from 9am - 12pm and 1pm - 5pm (GMT +1).
BleepingComputer has contacted Zyxel with questions about the incident, but no reply was immediately received.
3 Use Cases for Third-Party API Security
Microsoft to deprecate WSUS driver synchronization in 90 days
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
MediumCSP: Wildcard Directive
InformationalSec-Fetch-Dest Header is Missing
InformationalCORS Header
MediumCRLF Injection
MediumCWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-1247 Improper Protection Against Voltage and Clock Glitches
CWE-925 Improper Verification of Intent by Broadcast Receiver
CWE-1384 Improper Handling of Physical or Environmental Conditions
Free online web security scanner