Taiwanese network equipment manufacturer Zyxel this week announced patches for a critical-severity vulnerability impacting its ATP, USG FLEX, VPN, and ZyWALL/USG firewalls.
Tracked as CVE-2023-28771 (CVSS score of 9.8), the security defect can be exploited remotely to execute OS commands.
“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel explains in its advisory.
The bug impacts ATP, USG FLEX, and VPN firmware versions 4.60 to 5.35, and ZyWALL/USG firmware versions 4.60 to 4.73. Fixes were included in ATP, USG FLEX, and VPN firmware releases 5.36 and ZyWALL/USG firmware version 4.73 Patch 1.
Users are advised to update their firewalls as soon as possible. While the vulnerability does not appear to be exploited in malicious attacks, unpatched Zyxel appliances are known to be targeted by malicious actors.
The firmware updates for ATP, USG FLEX, and VPN firewalls also resolve a high-severity command injection issue. Tracked as CVE-2023-27991, the vulnerability was addressed in USG FLEX 50(W) / USG20(W)-VPN firewalls as well (in firmware version 5.36).
This week, the company also announced fixes for several high-severity flaws in multiple firewalls and access point (AP) models, which could be exploited to cause denial-of-service (DoS) conditions, execute commands, cause a core dump, or retrieve encrypted information of the administrator.
Zyxel resolved the bugs with firmware updates for the impacted firewalls. Firmware updates were released for many AP devices as well, while for others hotfixes are available by request.
Users should review Zyxel’s advisory on these vulnerabilities and update their devices if necessary.
Related: Zyxel Patches Critical Vulnerability in NAS Firmware
Related: Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities
Related: Zyxel Warns Customers of Attacks on Security Appliances