Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices. This flaw could allow attackers to remotely execute code on affected systems
A security flaw in Zyxel’s firewall devices, identified as CVE-2023-28771, has a high CVSS score of 9.8.
Products impacted by the flaw are –
- ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36)
- VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
- ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)
Zyxel addressed high-severity post-authentication command injection vulnerability affecting select firewall versions (CVE-2023-27991, CVSS score: 8.8) that could permit authenticated attacker to execute OS commands remotely.
The shortcoming, which impacts ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices, has been resolved in ZLD V5.36.
In addition to the critical flaw, Zyxel has also addressed several other vulnerabilities in their devices. These include five high-severity flaws and one medium-sevcould potentially lead to code execution and result in a denial-of-service (DoS) condition.
most severe of flaws is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability impacting 5G NR/4G LTE CPE devices.
Reference: thehackernews.com/2023/04/zyxel-firewall-devices-vulnerable-to.html