Atdog

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1 Zyxel USG FLEX series firmware versions from 4.50 through 5.37 Patch 1 Zyxel USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1 Zyxel USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1 **Description** A format string vulnerability in the IPSec VPN feature could allow an attacker to achieve unauthorized remote code execution by sending a sequence of specially crafted payloads containing an invalid pointer. However, such an attack would require detailed knowledge of an affected device’s memory layout and configuration. The vulnerability is related to the use of uncontrolled format strings. **Recommendations** For Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. As a temporary workaround, consider disabling the IPSec VPN feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Patch 1 Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Patch 1 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Patch 1 Zyxel USG FLEX H series versions 1.10 through 1.10 Patch 1 **Description** A format string vulnerability could allow an authenticated IPSec VPN user to cause DoS conditions against the `deviceid` daemon by sending a crafted hostname to an affected device if it has the `Device Insight` feature enabled. This issue is related to the use of uncontrolled format strings in the `Device Insight` feature of the affected devices. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX H series versions 1.10 through 1.10 Patch 1, update to a version later than 1.10 Patch 1. As a temporary workaround, consider disabling the `Device Insight` feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZyXEL USG FLEX versions 4.50 through 5.37 Patch 1 ZyXEL USG FLEX 50(W)/USG20(W)-VPN versions 4.16 through 5.37 Patch 1 ZyXEL USG FLEX H versions 1.10 through 1.10 Patch 1 ZyXEL ATP series firmware versions 4.32 through 5.37 Patch 1 NWA50AX firmware versions through 6.29(ABYW.3) WAC500 firmware versions through 6.65(ABVS.1) WAX300H firmware versions through 6.60(ACHF.1) WBE660S firmware versions through 6.65(ACGG.1) **Description** The issue is related to a post-authentication command injection vulnerability in the file upload binary, allowing an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP. This can be achieved by exploiting the vulnerability in the file upload process, which does not properly neutralize special elements used in the command. **Recommendations** For ZyXEL USG FLEX versions 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For ZyXEL USG FLEX 50(W)/USG20(W)-VPN versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For ZyXEL USG FLEX H versions 1.10 through 1.10 Patch 1, update to a version later than 1.10 Patch 1. For ZyXEL ATP series firmware versions 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For NWA50AX firmware versions through 6.29(ABYW.3), update to a version later than 6.29(ABYW.3). For WAC500 firmware versions through 6.65(ABVS.1), update to a version later than 6.65(ABVS.1). For WAX300H firmware versions through 6.60(ACHF.1), update to a version later than 6.60(ACHF.1). For WBE660S firmware versions through 6.65(ACGG.1), update to a version later than 6.65(ACGG.1). As a temporary workaround, consider restricting access to the FTP service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 4.32 through 5.37 Patch 1 Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1 **Description** A null pointer dereference issue in the Anti-Malware feature of Zyxel ATP and USG FLEX series firmware could allow a LAN-based attacker to cause denial-of-service (DoS) conditions by downloading a crafted RAR compressed file onto a LAN-side host. This issue is related to pointer dereference errors and can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Zyxel ATP series versions 4.32 through 5.37 Patch 1, consider disabling the `Anti-Malware` feature until a patch is available. For Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1, consider disabling the `Anti-Malware` feature until a patch is available. As a temporary workaround, avoid using the `Anti-Malware` feature in the affected firmware versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions 4.32 through 5.37 Zyxel USG FLEX series firmware versions 4.50 through 5.37 Zyxel USG FLEX 50(W) series firmware versions 4.16 through 5.37 Zyxel USG20(W)-VPN series firmware versions 4.16 through 5.37 Zyxel VPN series firmware versions 4.30 through 5.37 **Description** The issue is related to an integer overflow vulnerability in the QuickSec IPSec toolkit used in the VPN feature of various Zyxel devices. This vulnerability could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions on an affected device by sending a crafted IKE packet. **Recommendations** For Zyxel ATP series firmware versions 4.32 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel USG FLEX series firmware versions 4.50 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel USG FLEX 50(W) series firmware versions 4.16 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel USG20(W)-VPN series firmware versions 4.16 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. For Zyxel VPN series firmware versions 4.30 through 5.37, update to a version that fixes the integer overflow vulnerability in the QuickSec IPSec toolkit. As a temporary workaround, consider restricting access to the IKE packet handling functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1 Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1 Zyxel USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1 Zyxel USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1 Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1 Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1 **Description** A buffer overflow vulnerability in the notification function could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. The vulnerability is related to a lack of size checking for input data, which can be exploited by a remote attacker. **Recommendations** For Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, update to a version later than 4.73 Patch 1. As a temporary workaround, consider disabling the notification function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 5.10 through 5.36 Patch 2 Zyxel USG FLEX series versions 5.00 through 5.36 Patch 2 Zyxel USG FLEX 50(W) series versions 5.10 through 5.36 Patch 2 Zyxel USG20(W)-VPN series versions 5.10 through 5.36 Patch 2 Zyxel VPN series versions 5.00 through 5.36 Patch 2 **Description** A format string vulnerability in the Zyxel firmware could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted PPPoE configuration on an affected device when the cloud management mode is enabled. The vulnerability is related to the use of uncontrolled format strings, which may allow a remote attacker to execute arbitrary commands. **Recommendations** For Zyxel ATP series versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX series versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX 50(W) series versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG20(W)-VPN series versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel VPN series versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. As a temporary workaround, consider disabling the cloud management mode until a patch is available. Restrict access to the PPPoE configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel USG FLEX series firmware versions 5.00 through 5.36 Patch 2 Zyxel USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2 Zyxel USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2 Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2 Zyxel VPN series firmware versions 5.00 through 5.36 Patch 2 **Description** The issue is related to a command injection vulnerability in the configuration parser of the affected Zyxel devices. This vulnerability can be exploited by an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled. The exploitation occurs during an attempted `ip addr` command, and the order of operations is important for successful exploitation. It is estimated that out of approximately 7,600 devices using vulnerable firmware, around 607 were using the vulnerable configuration. **Recommendations** For Zyxel USG FLEX series firmware versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel VPN series firmware versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. As a temporary workaround, consider disabling the cloud management mode until a patch is available. Restrict access to the GRE configuration to minimize the risk of exploitation. Avoid using the `proto vti` configuration option in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series versions 5.10 through 5.36 Zyxel USG FLEX series versions 5.00 through 5.36 Zyxel USG FLEX 50(W) series versions 5.10 through 5.36 Zyxel USG20(W)-VPN series versions 5.10 through 5.36 Zyxel VPN series versions 5.00 through 5.36 **Description** The configuration parser fails to sanitize user-controlled input in the affected Zyxel devices. An unauthenticated, LAN-based attacker could leverage this issue to inject operating system (OS) commands into the device configuration data on an affected device when the cloud management mode is enabled. **Recommendations** For Zyxel ATP series versions 5.10 through 5.36, update to a version that includes a fix for this issue. For Zyxel USG FLEX series versions 5.00 through 5.36, update to a version that includes a fix for this issue. For Zyxel USG FLEX 50(W) series versions 5.10 through 5.36, update to a version that includes a fix for this issue. For Zyxel USG20(W)-VPN series versions 5.10 through 5.36, update to a version that includes a fix for this issue. For Zyxel VPN series versions 5.00 through 5.36, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the cloud management mode until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72 Zyxel VPN series firmware versions 4.30 through 5.32 Zyxel USG FLEX series firmware versions 4.50 through 5.32 Zyxel ATP series firmware versions 4.32 through 5.32 **Description** The issue is related to a command injection vulnerability in the CLI command of Zyxel's firmware, which could allow an authenticated attacker with administrator privileges to execute OS commands. This is due to the lack of proper sanitization of special elements used in the OS command. The exploitation of this issue may enable a remote attacker to execute arbitrary commands. **Recommendations** For Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, update to a version outside of this range to mitigate the risk. For Zyxel VPN series firmware versions 4.30 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series firmware versions 4.50 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel ATP series firmware versions 4.32 through 5.32, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the CLI command to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: NETGEAR R7800 version 1.0.2.76 Description: This issue allows network-adjacent attackers to execute arbitrary code on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the handling of the `vendor specific` DHCP opcode. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this issue to execute code in the context of root. Recommendations: For NETGEAR R7800 version 1.0.2.76, consider applying a patch or update that addresses the improper validation of user-supplied strings in the handling of the `vendor specific` DHCP opcode. As a temporary workaround, restrict access to the DHCP service to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** NETGEAR EX7000 versions prior to 1.0.0.64 NETGEAR EX6200 versions prior to 1.0.3.86 NETGEAR EX6150 versions prior to 1.0.0.38 NETGEAR EX6130 versions prior to 1.0.0.22 NETGEAR EX6120 versions prior to 1.0.0.40 NETGEAR EX6100 versions prior to 1.0.2.22 NETGEAR EX6000 versions prior to 1.0.0.30 NETGEAR EX3700 versions prior to 1.0.0.70 NETGEAR EX3800 versions prior to 1.0.0.70 NETGEAR R8300 versions prior to 1.0.2.94 NETGEAR R7300DST versions prior to 1.0.0.62 NETGEAR R7000P versions prior to 1.3.0.20 NETGEAR R6900P versions prior to 1.3.0.20 NETGEAR R6400 versions prior to 1.0.1.32 NETGEAR R6300v2 versions prior to 1.0.4.24 NETGEAR R8500 versions prior to 1.0.2.94 NETGEAR WNDR3400v3 versions prior to 1.0.1.18 NETGEAR WN2500RPv2 versions prior to 1.0.1.52 **Description** The issue is related to reflected XSS, which affects certain NETGEAR devices. **Recommendations** Update EX7000 to version 1.0.0.64 or later Update EX6200 to version 1.0.3.86 or later Update EX6150 to version 1.0.0.38 or later Update EX6130 to version 1.0.0.22 or later Update EX6120 to version 1.0.0.40 or later Update EX6100 to version 1.0.2.22 or later Update EX6000 to version 1.0.0.30 or later Update EX3700 to version 1.0.0.70 or later Update EX3800 to version 1.0.0.70 or later Update R8300 to version 1.0.2.94 or later Update R7300DST to version 1.0.0.62 or later Update R7000P to version 1.3.0.20 or later Update R6900P to version 1.3.0.20 or later Update R6400 to version 1.0.1.32 or later Update R6300v2 to version 1.0.4.24 or later Update R8500 to version 1.0.2.94 or later Update WNDR3400v3 to version 1.0.1.18 or later Update WN2500RPv2 to version 1.0.1.52 or later