Manuel Roccon

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP series firmware versions from V4.60 through V5.38 Zyxel USG FLEX series firmware versions from V4.60 through V5.38 **Description** A post-authentication command injection issue exists in the firmware of Zyxel ATP and USG FLEX series devices. This could allow an authenticated attacker with administrator privileges to execute certain operating system commands on an affected device by executing a crafted CLI command. The vulnerability arises due to the failure to neutralize special elements used in the operating system command. **Recommendations** For Zyxel ATP series firmware versions from V4.60 through V5.38, update to a version that contains a fix for this issue. For Zyxel USG FLEX series firmware versions from V4.60 through V5.38, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the CLI command to minimize the risk of exploitation.