Input Validation Flaw in Zyxel Firewall Firmware
CVE-2023-28767

8.8HIGH

Key Information:

Vendor: Zyxel
Status: Atp Series Firmware; Usg Flex Series Firmware; Usg Flex 50(w) Series Firmware; Usg20(w)-vpn Series Firmware
Vendor: CVE Published:; 17 July 2023

What is CVE-2023-28767?

A vulnerability exists in the configuration parser of Zyxel's firewall firmware that fails to adequately sanitize user-controlled input. This issue affects multiple firmware versions across the Zyxel ATP and USG FLEX series. An unauthenticated attacker on the local network could exploit this weakness when cloud management mode is enabled, allowing for the injection of operating system commands into the device’s configuration data, potentially compromising device integrity and security.

Affected Version(s)

ATP series firmware 5.10 through 5.36

USG FLEX 50(W) series firmware 5.10 through 5.36

USG FLEX series firmware 5.00 through 5.36

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2023
Vulnerability Reserved
Mar 23, 2023