Buffer Overflow Vulnerability in Zyxel ATP and USG FLEX Series Firmware
CVE-2023-37926

5.5MEDIUM

Key Information:

Vendor: Zyxel
Status: ATP series firmware; USG FLEX series firmware; USG FLEX 50(W) series firmware; USG20(W)-VPN series firmware
Vendor: CVE Published:; 28 November 2023

What is CVE-2023-37926?

A critical buffer overflow vulnerability in specific firmware versions of Zyxel's ATP and USG FLEX series could potentially allow local authenticated attackers to trigger denial-of-service (DoS) conditions. By executing a tailored CLI command designed to dump system logs, attackers could exploit this flaw, impacting the normal operation of affected devices. Users are advised to review their firmware versions and update to secure their systems against potential exploitation.

Affected Version(s)

ATP series firmware versions 4.32 through 5.37

USG FLEX 50(W) series firmware versions 4.16 through 5.37

USG FLEX series firmware versions 4.50 through 5.37

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Jul 11, 2023