Improper Privilege Management Vulnerability in Zyxel ATP and USG FLEX Series Firmware
CVE-2023-5650

5.5MEDIUM

Key Information:

Vendor: Zyxel
Status: ATP series firmware; USG FLEX series firmware; USG FLEX 50(W) series firmware; USG20(W)-VPN series firmware
Vendor: CVE Published:; 28 November 2023

Summary

An improper privilege management flaw in the ZySH component of several Zyxel firewall firmware versions could enable an authenticated local attacker to tamper with the registration page URL in the web GUI of affected devices. This vulnerability compromises the integrity of the device settings, potentially leading to further attacks or unauthorized access.

Affected Version(s)

USG20(W)-VPN series firmware versions 4.16 through 5.37

ATP series firmware versions 4.32 through 5.37

USG FLEX 50(W) series firmware versions 4.16 through 5.37

References

https://www.zyxel.com/global/en/support/security-advisori...

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 28, 2023
Vulnerability Reserved
Oct 19, 2023