CVE-2023-27991

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions 4.32 through 5.35 Zyxel USG FLEX series versions 4.50 through 5.35 Zyxel USG FLEX 50(W) versions 4.16 through 5.35 Zyxel USG20(W)-VPN versions 4.16 through 5.35 Zyxel VPN series versions 4.30 through 5.35

Description The issue is related to a post-authentication command injection vulnerability in the CLI command, which could allow an authenticated attacker to execute some OS commands remotely. This vulnerability is associated with the lack of protection measures for the web page structure, potentially enabling a remote attacker to execute arbitrary scripts on the vulnerable device.

Recommendations For Zyxel ATP series versions 4.32 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX series versions 4.50 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG FLEX 50(W) versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel USG20(W)-VPN versions 4.16 through 5.35, update to a version that includes a fix for this issue. For Zyxel VPN series versions 4.30 through 5.35, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the CLI command until a patch is available.