Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZyxel Atp100
HWZyxelwszystkie wersjeZyxel Atp100 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Atp100w
HWZyxelwszystkie wersjeZyxel Atp100w Firmware
OSZyxel4.60 – 5.35 (bez)Zyxel Atp200
HWZyxelwszystkie wersjeZyxel Atp200 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Atp500
HWZyxelwszystkie wersjeZyxel Atp500 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Atp700
HWZyxelwszystkie wersjeZyxel Atp700 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Atp800
HWZyxelwszystkie wersjeZyxel Atp800 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 100
HWZyxelwszystkie wersjeZyxel Usg Flex 100 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 100w
HWZyxelwszystkie wersjeZyxel Usg Flex 100w Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 200
HWZyxelwszystkie wersjeZyxel Usg Flex 200 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 50
HWZyxelwszystkie wersjeZyxel Usg Flex 500
HWZyxelwszystkie wersjeZyxel Usg Flex 500 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 50 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 50w
HWZyxelwszystkie wersjeZyxel Usg Flex 50w Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Usg Flex 700
HWZyxelwszystkie wersjeZyxel Usg Flex 700 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Vpn100
HWZyxelwszystkie wersjeZyxel Vpn1000
HWZyxelwszystkie wersjeZyxel Vpn1000 Firmware
OSZyxel4.60 – 5.36 (bez)Zyxel Vpn100 Firmware
OSZyxel4.60 – 5.36 (bez)
CISA KEV — detailsi
- Vendori
- Zyxel
- Producti
- Multiple Firewalls
- Added to KEVi
- May 31, 2023
- Remediation deadline (US Federal)i
- June 21, 2023(overdue)
Apply updates per vendor instructions.
Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device.
Related vulnerabilities
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 throu...
A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 throug...
A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 throug...
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable passw...
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authenticati...