Information Exposure Vulnerability in Zyxel ATP and USG FLEX Series Firmware
CVE-2023-22918

6.5MEDIUM

Key Information:

Vendor: Zyxel
Status: ATP series firmware; USG FLEX series firmware; USG FLEX 50(W) firmware; USG20(W)-VPN firmware
Vendor: CVE Published:; 24 April 2023

Summary

An information exposure vulnerability exists in the CGI program of Zyxel's ATP and USG FLEX series firmware, affecting several versions. This flaw enables remote authenticated attackers to potentially access sensitive, encrypted administrative information from affected devices. The vulnerability affects multiple products including several versions of the Zyxel ATP, USG FLEX, and VPN series firmware, as well as selected access points, putting administrative data at risk.

Affected Version(s)

ATP series firmware 4.32 through 5.35

NWA110AX firmware <= 6.50(ABTG.2)

USG FLEX 50(W) firmware 4.16 through 5.35

References

https://www.zyxel.com/global/en/support/security-advisori...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 24, 2023
Vulnerability Reserved
Jan 10, 2023