Zyxel fixed a critical RCE flaw in its firewall devices and urges customers to install the patches

A vulnerability impacting Zyxel firewalls, tracked as CVE-2023-28771, can be exploited to execute arbitary code on vulnerable devices.

Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771 (CVSS score 9.8), impacting Zyxel Firewall.

The vulnerability is an improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted packets to a vulnerable device and execute some OS commands remotely.

Zyxel has released security patches to address the vulnerability and urges customers to install them.

“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.” reads the advisory published by the vendor.

The company also fixed a high-severity post-authentication command injection issue (CVE-2023-27991, CVSS score: 8.8) affecting some specific firewall versions.

The vulnerability resides in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35. The vulnerability can be exploited by a remote, authenticated attacker to execute some OS commands.

The last vulnerability addressed by the company is an XSS vulnerability, tracked as CVE-2023-27990, that affects some firewall versions.

“The XSS vulnerability in some firewall versions could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device.” reads the advisory published by the vendor. “A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.”

Both CVE-2023-27990 and CVE-2023-27991 were reported by Alessandro Sgreccia from Tecnical Service SRL.

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zyxel firewalls)