CVE-2023-33012

Name of the Vulnerable Software and Affected Versions Zyxel USG FLEX series firmware versions 5.00 through 5.36 Patch 2 Zyxel USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2 Zyxel USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2 Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2 Zyxel VPN series firmware versions 5.00 through 5.36 Patch 2

Description The issue is related to a command injection vulnerability in the configuration parser of the affected Zyxel devices. This vulnerability can be exploited by an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled. The exploitation occurs during an attempted ip addr command, and the order of operations is important for successful exploitation. It is estimated that out of approximately 7,600 devices using vulnerable firmware, around 607 were using the vulnerable configuration.

Recommendations For Zyxel USG FLEX series firmware versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. For Zyxel VPN series firmware versions 5.00 through 5.36 Patch 2, update to a version later than 5.36 Patch 2. As a temporary workaround, consider disabling the cloud management mode until a patch is available. Restrict access to the GRE configuration to minimize the risk of exploitation. Avoid using the proto vti configuration option in the affected API endpoint until the issue is resolved.