Security News > 2023 > May > Zyxel Issues Critical Security Patches for Firewall and VPN Products

Zyxel Issues Critical Security Patches for Firewall and VPN Products
2023-05-25 14:43

Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution.

Both the flaws - CVE-2023-33009 and CVE-2023-33010 - are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system.

ZyWALL/USG. Security researchers from TRAPA Security and STAR Labs SG have been credited with discovering and reporting the flaws.

The advisory comes less than a month after Zyxel shipped fixes for another critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems.

The issue, tracked as CVE-2023-28771, was also credited to TRAPA Security, with the networking equipment maker blaming it on improper error message handling.

It has since come under active exploitation by threat actors associated with the Mirai botnet.


News URL

https://thehackernews.com/2023/05/zyxel-issues-critical-security-patches.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-05-24 CVE-2023-33010 Classic Buffer Overflow vulnerability in Zyxel products
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
network
low complexity
zyxel CWE-120
critical
9.8
2023-05-24 CVE-2023-33009 Classic Buffer Overflow vulnerability in Zyxel products
A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
network
low complexity
zyxel CWE-120
critical
9.8
2023-04-25 CVE-2023-28771 OS Command Injection vulnerability in Zyxel products
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
network
low complexity
zyxel CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 485 3 121 77 45 246