CVE-2023-6399

Name of the Vulnerable Software and Affected Versions Zyxel ATP series versions 4.32 through 5.37 Patch 1 Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1 Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Patch 1 Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Patch 1 Zyxel USG FLEX H series versions 1.10 through 1.10 Patch 1

Description A format string vulnerability could allow an authenticated IPSec VPN user to cause DoS conditions against the deviceid daemon by sending a crafted hostname to an affected device if it has the Device Insight feature enabled. This issue is related to the use of uncontrolled format strings in the Device Insight feature of the affected devices.

Recommendations For Zyxel ATP series versions 4.32 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX series versions 4.50 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX 50(W) series versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG20(W)-VPN series versions 4.16 through 5.37 Patch 1, update to a version later than 5.37 Patch 1. For Zyxel USG FLEX H series versions 1.10 through 1.10 Patch 1, update to a version later than 1.10 Patch 1. As a temporary workaround, consider disabling the Device Insight feature until a patch is available.