CVE-2023-22917

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions 5.10 through 5.32 Zyxel USG FLEX series versions 5.00 through 5.32 Zyxel USG FLEX 50(W) versions 5.10 through 5.32 Zyxel USG20(W)-VPN versions 5.10 through 5.32 Zyxel VPN series versions 5.00 through 5.35

Description A buffer overflow vulnerability in the sdwan iface ipc binary could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. This vulnerability may allow an attacker to cause a denial of service by loading a specially crafted configuration file.

Recommendations For Zyxel ATP series versions 5.10 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX series versions 5.00 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel USG FLEX 50(W) versions 5.10 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel USG20(W)-VPN versions 5.10 through 5.32, update to a version outside of this range to mitigate the risk. For Zyxel VPN series versions 5.00 through 5.35, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the sdwan iface ipc binary to minimize the risk of exploitation. Avoid uploading crafted configuration files to vulnerable devices until the issue is resolved.