Network equipment manufacturer Zyxel has released a patch for a critical security flaw in its firewall device that can be exploited to perform remote code execution on affected systems.
This issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers at TRAPA Security allegedly reported this flaw.
Zyxel stated in the April 25, 2023 advisory, “Improper error message handling in some firewall versions could allow unauthenticated attackers to send crafted packets to affected devices. may allow remote execution of some OS commands.
Products affected by this defect are –
- ATP (version ZLD V4.60 to V5.35, patched in ZLD V5.36)
- USG FLEX (version ZLD V4.60 to V5.35, patched in ZLD V5.36)
- VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
- ZyWALL/USG (version ZLD V4.60 to V4.73, patched with ZLD V4.73 Patch 1)
Zyxel also has a high-severity vulnerability affecting some firewall versions (CVE-2023-27991, CVSS score: 8.8) that may allow authenticated attackers to remotely execute some OS commands. Also addressed a post-authentication command injection vulnerability.
Defects affecting ATP, USG FLEX, USG FLEX 50(W) / USG20(W)-VPN, and VPN devices have been resolved in ZLD V5.36.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
Finally, the company also shipped fixes for five high-severity flaws (CVE-2023-22913 through CVE-2023-22918) affecting several firewall and access point (AP) devices. Service (DoS) state.
Nikita Abramov of Russian cybersecurity firm Positive Technologies is credited for reporting this issue. Earlier this year, Abramov discovered four command injection and buffer overflow vulnerabilities in CPEs, fiber ONTs and WiFi extenders.
The most severe flaw is CVE-2022-43389 (CVSS score: 9.8), a buffer overflow vulnerability affecting 5G NR/4G LTE CPE devices.
“There was no need to abuse authentication to execute arbitrary code on the device,” Abramov explained at the time. “As a result, an attacker could gain remote access to the device and take full control of its operation.”
