CVE-2023-33009

Name of the Vulnerable Software and Affected Versions Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1 Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1 Zyxel USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1 Zyxel USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1 Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1 Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1

Description A buffer overflow vulnerability in the notification function could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. The vulnerability is related to a lack of size checking for input data, which can be exploited by a remote attacker.

Recommendations For Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1, update to a version later than 5.36 Patch 1. For Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, update to a version later than 4.73 Patch 1. As a temporary workaround, consider disabling the notification function until a patch is available.