Format String Vulnerability in Zyxel ATP and USG FLEX Series Firmware
CVE-2023-33011

8.8HIGH

Key Information:

Vendor: Zyxel
Status: Atp Series Firmware; Usg Flex Series Firmware; Usg Flex 50(w) Series Firmware; Usg20(w)-vpn Series Firmware
Vendor: CVE Published:; 17 July 2023

Summary

This vulnerability exists in the Zyxel ATP and USG FLEX series firmware, allowing an unauthenticated attacker within the local network to execute arbitrary operating system commands. By leveraging a specially crafted PPPoE configuration while the cloud management mode is active, attackers can exploit this flaw on the specified firmware versions, potentially compromising device integrity and network security.

Affected Version(s)

ATP series firmware 5.10 through 5.36 Patch 2

USG FLEX 50(W) series firmware 5.10 through 5.36 Patch 2

USG FLEX series firmware 5.00 through 5.36 Patch 2

References

https://www.zyxel.com/global/en/support/security-advisori...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 17, 2023
Vulnerability Reserved
May 17, 2023