Zyxel CVE-2023-28771 – Command Injection

May 31, 2023

Improper error message handling in Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls creates a vulnerability that can be exploited by an unauthorized attacker. By sending manipulated packets to a targeted device, the attacker can remotely execute operating system commands.

Affected Products:

ATP	ZLD V4.60 to V5.35	ZLD V5.36
USG FLEX	ZLD V4.60 to V5.35	ZLD V5.36
VPN	ZLD V4.60 to V5.35	ZLD V5.36
ZyWALL/USG	ZLD V4.60 to V4.73	ZLD V4.73 Patch 1

Patches are available at the Zyxel website, click the Reference button

Reference

Related Posts

CVE-2023-34362 – MOVEit SQL Injection

Advantech WebAccess/SCADA Advisory

Exploited in the wild: Barracuda Email Security Gateway Appliance (ESG) (CVE-2023-2868)