CVE-2023-34139

Name of the Vulnerable Software and Affected Versions Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2 Zyxel VPN series firmware versions 4.20 through 5.36 Patch 2

Description A command injection vulnerability in the Free Time WiFi hotspot feature could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device. The vulnerability is related to the failure to neutralize special elements used in the operating system command, which may allow a remote attacker to execute arbitrary commands.

Recommendations For Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2, consider disabling the Free Time WiFi hotspot feature until a patch is available. For Zyxel VPN series firmware versions 4.20 through 5.36 Patch 2, restrict access to the Free Time WiFi hotspot feature to minimize the risk of exploitation. As a temporary workaround, avoid using the Free Time WiFi hotspot feature in both Zyxel USG FLEX and VPN series until the issue is resolved.