CVE-2023-22913

Name of the Vulnerable Software and Affected Versions Zyxel USG FLEX series firmware versions 4.50 through 5.35 Zyxel VPN series firmware versions 4.30 through 5.35

Description A post-authentication command injection vulnerability in the account operator.cgi CGI program could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device. The vulnerability is related to the failure to neutralize special elements used in the operating system command.

Recommendations For Zyxel USG FLEX series firmware versions 4.50 through 5.35, consider disabling the account operator.cgi CGI program until a patch is available. For Zyxel VPN series firmware versions 4.30 through 5.35, restrict access to the account operator.cgi CGI program to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.