Zyxel customers are experiencing problems following a recent update. In some cases, firewalls get stuck in a bootloop, although problems can manifest themselves differently. Resolving the bug requires administrators to go on-site.
An update from Zyxel for USG Flex or ATP firewalls with the ZLD firmware has ended badly. The update causes the firewalls to behave strangely and in some cases become unusable. They then enter a bootloop, from which remote recovery is impossible. Customers with a USG Flex H firewall, customers using the Nebula platform, or not having an active security license on a device are not affected.
Zyxel insists that the problem is related to the Application Signature Update and not the firmware itself. Therefore, there are no security risks involved. That is presumably cold comfort, since the recovery process requires a lot of time and effort from administrators.
On-site recovery
Indeed, the only sure way to restore firewalls is for administrators to go on-site with a console/RS232 cable. Only recovery via that cable is possible. SSH, FTP or the Web interface will not allow you to fix the problem. The recovery process is fairly extensive, but Zyxel explains it in detail on this Web page.
Zyxel further notes that customers running their systems in Device-HA mode should contact it for customized support. The manufacturer has opened a Teams channel to further assist affected users with questions.