The issue tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw.
“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel said in an advisory on April 25, 2023.
Products impacted by the flaw are –
- ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
- ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)
Zyxel has also addressed a high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit an authenticated attacker to execute some OS commands remotely.
The shortcoming, which impacts ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices, has been resolved in ZLD V5.36.
Lastly, the company also shipped fixes for five high-severity flaws affecting several firewalls and access point (AP) devices (from CVE-2023-22913 to CVE-2023-22918) that could result in code execution and cause a denial-of-service (DoS) condition.
Nikita Abramov from Russian cybersecurity company Positive Technologies has been credited for reporting the issues. Abramov, earlier this year, also discovered four command injection and buffer overflow vulnerabilities in CPE, fiber ONTs, and WiFi extenders.
The most severe of the flaws is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.
“It did not require authentication to be exploited and led to arbitrary code execution on the device,” Abramov explained at the time. “As a result, an attacker could gain remote access to the device and fully control its operation.”