Taiwanese network equipment manufacturer Zyxel has released patches for a critical-severity vulnerability affecting its ATP, USG FLEX, VPN, and ZyWALL/USG firewalls. The vulnerability, identified as CVE-2023-28771 with a CVSS score of 9.8, can be exploited remotely for operating system (OS) command execution. Zyxel's advisory states, “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.” The issue affects ATP, USG FLEX, and VPN firmware versions 4.60 to 5.35, and ZyWALL/USG firmware versions 4.60 to 4.73. Fixes have been included in ATP, USG FLEX, and VPN firmware releases 5.36 and ZyWALL/USG firmware version 4.73 Patch 1. Users are urged to update their firewalls promptly.
Although the vulnerability has not been observed in malicious attacks, unpatched Zyxel appliances have been targeted by threat actors in the past. The firmware updates for ATP, USG FLEX, and VPN firewalls also address a high-severity command injection issue, tracked as CVE-2023-27991. This vulnerability has been fixed in USG FLEX 50(W) / USG20(W)-VPN firewalls as well, with firmware version 5.36.
In addition to these vulnerabilities, Zyxel announced fixes for several high-severity flaws in multiple firewalls and access point (AP) models this week. These vulnerabilities could be exploited to trigger denial-of-service (DoS) conditions, execute commands, cause a core dump, or obtain encrypted administrator information. To resolve these issues, Zyxel has released firmware updates for the affected firewalls and many AP devices. Hotfixes for other devices are available upon request. Users should consult Zyxel's advisory on these vulnerabilities and update their devices as needed.