CVE-2023-28767
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2023-28767 is a vulnerability affecting multiple Zyxel firmware versions, including those for the ATP, USG FLEX, USG FLEX 50(W), USG20(W)-VPN, and VPN series. The issue lies in the configuration parser, which fails to sanitize user-controlled input. An unauthenticated attacker, located in the LAN, can exploit this vulnerability when cloud management mode is enabled, allowing them to inject OS commands into the device configuration data. This could potentially lead to significant security compromises. The Zyxel ATP series firmware versions 5.10 to 5.36, as well as the USG FLEX series firmware versions 5.00 to 5.36, USG FLEX 50(W) series firmware versions 5.10 to 5.36, USG20(W)-VPN series firmware versions 5.10 to 5.36, and VPN series firmware versions 5.00 to 5.36, are all vulnerable to this issue. An attacker can take advantage of this vulnerability by injecting OS commands into the device configuration data of an affected device. This can result in potential security breaches and unauthorized access to the device, particularly when the cloud management mode is enabled.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Zyxel Usg Flex 200 Firmware
- Zyxel Usg Flex 500 Firmware
- Zyxel Usg Flex 100 Firmware
- Zyxel Usg Flex 100w Firmware
- Zyxel Usg Flex 700 Firmware
Affected Vendors
- ZyXEL
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions