Heads up, Zyxel users! The vendors have patched a few critical vulnerabilities in Zyxel Firewall that could allow remote command execution attacks. Users must rush to update their devices with the latest software releases to receive the patches.
Multiple Vulnerabilities Found In Zyxel Firewall
Zyxel – the Chinese technology and networking giant – has patched multiple Firewall vulnerabilities with the latest releases.
Specifically, the vendors have addressed three security vulnerabilities affecting their Firewall devices.
The first of these is a critical-severity remote command execution vulnerability, CVE-2023-28771 (CVSS 9.8). According to Zyxel’s advisory, the flaw existed due to improper message handling, allowing an unauthenticated remote adversary to execute OS commands on the target firewall devices. Exploiting the flaw required the attacker to send maliciously crafted data packets to the target device.
The devices affected by this vulnerability include ATP ZLD V4.60 to V5.35, USG FLEX ZLD V4.60 to V5.35, VPN ZLD V4.60 to V5.35, ZyWALL/USG ZLD V4.60 to V4.73. Zyxel has credited TRAPA Security for detecting and reporting this flaw.
The next vulnerability, CVE-2023-27990, is a high-severity (CVSS 8.8) cross-site scripting (XSS) vulnerability in Zyxel firewalls. Exploiting this flaw could let an authenticated adversary with admin privileges store malicious scripts on the target device. The scripts would execute if a user visits the Logs page.
Then, the third vulnerability, CVE-2023-27991, could also allow OS command injection attacks. The flaw impacted the CLI command of firewalls, allowing an authenticated attacker to execute remote commands.
According to Zyxel’s advisory, these two vulnerabilities affected the ATP ZLD V4.32 to V5.35, USG FLEX ZLD V4.50 to V5.35, USG FLEX 50(W)/USG20(W)-VPN ZLD V4.16 to V5.35, and VPN ZLD V4.30 to V5.35. Zyxel attributed Alessandro Sgreccia from Tecnical Service SRL for reporting both vulnerabilities.
Patches Rolled Out
Zyxel patched all three vulnerabilities with the latest software releases for vulnerable devices. Specifically, the patched releases include ATP ZLD V5.36, USG FLEX ZLD V5.36, VPN ZLD V5.36, ZyWALL/USG ZLD V4.73 Patch 1 (bug fix for CVE-2023-28771), and USG FLEX 50(W) / USG20(W)-VPN ZLD V5.36 (bug fix for CVE-2023-27990, CVE-2023-27991).
While the updates might reach the affected automatically, users must check for possible updates for their devices manually to ensure receiving the patches in time.