Post-Authentication Command Injection Vulnerability Affects Zyxel ATP Series, USG FLEX Series, USG FLEX 50(W) Series, USG20(W)-VPN Series, NWA50AX, WAC500, WAX300H, and WBE660S Firmware
CVE-2023-6398

7.2HIGH

Key Information:

Vendor
Zyxel
Status
Atp Series Firmware
Usg Flex Series Firmware
Usg Flex 50(w) Series Firmware
Usg20(w)-vpn Series Firmware
Vendor
CVE Published:
20 February 2024

Summary

A post-authentication command injection vulnerability exists in multiple Zyxel devices, specifically within the file upload binary. This issue affects various firmware versions across multiple series, including Zyxel ATP, USG FLEX, and WAC series. When an attacker with administrator privileges accesses an affected device via FTP, they may execute arbitrary operating system commands, potentially compromising the integrity and functionality of the device. This vulnerability underscores the importance of keeping firewall and network equipment firmware updated to safeguard against potential attacks.

Affected Version(s)

NWA50AX firmware < 6.29(ABYW.4)

WAC500 firmware < 6.70(ABVS.1)

ATP series firmware version 4.32 through 5.37 Patch 1

References

https://www.zyxel.com/global/en/support/security-advisori...
vendor-advisory

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.