CVE-2023-33009

CVSS 9.8 CRITICALEPSS 28.1%● KEVCWE-120

In short

A buffer overflow flaw in Zyxel network devices allows attackers to crash the device or take complete control of it without needing to log in. This affects multiple device models running certain firmware versions.

Technical detail

Buffer overflow in the notification function exploitable by unauthenticated remote attackers via malformed input, enabling denial-of-service and arbitrary code execution on affected Zyxel ATP, USG FLEX, USG20, VPN, and ZyWALL/USG series devices running firmware versions 4.60 through 5.36 Patch 1 (or 4.73 Patch 1 for ZyWALL/USG).

Summary generated and translated by AI from the official description.

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Zyxel · ATP series firmware Zyxel · USG20(W)-VPN firmware Zyxel · USG FLEX 50(W) firmware Zyxel · USG FLEX series firmware Zyxel · VPN series firmware Zyxel · ZyWALL/USG series firmware

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33009 https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls