CVE-2023-5797

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions 4.32 through 5.37 Zyxel USG FLEX series versions 4.50 through 5.37 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Zyxel VPN series versions 4.30 through 5.37 Zyxel NWA50AX version 6.29(ABYW.2) Zyxel WAC500 version 6.65(ABVS.1) Zyxel WAX300H version 6.60(ACHF.1) Zyxel WBE660S version 6.65(ACGG.1)

Description The issue is related to improper privilege management in the debug CLI command of the affected Zyxel devices. This could allow an authenticated local attacker to access the administrator’s logs on an affected device. The vulnerability is associated with deficiencies in access control.

Recommendations For Zyxel ATP series versions 4.32 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG FLEX series versions 4.50 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel VPN series versions 4.30 through 5.37, update to a version that fixes the improper privilege management issue. For Zyxel NWA50AX version 6.29(ABYW.2), update to a version that fixes the improper privilege management issue. For Zyxel WAC500 version 6.65(ABVS.1), update to a version that fixes the improper privilege management issue. For Zyxel WAX300H version 6.60(ACHF.1), update to a version that fixes the improper privilege management issue. For Zyxel WBE660S version 6.65(ACGG.1), update to a version that fixes the improper privilege management issue. As a temporary workaround, consider restricting access to the debug CLI command until a patch is available.