CVE-2023-22916

CWE-20 — Improper Input Validation3 documents3 sources

Severity

8.1HIGH

EPSS

0.7%

top 27.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Atp100 Firmware Zyxel Atp100w Firmware Zyxel Atp200 Firmware +20 more

Timeline

PublishedApr 24

Description

The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series firmware versions 5.00 through 5.35, USG FLEX 50(W) firmware versions 5.10 through 5.35, USG20(W)-VPN firmware versions 5.10 through 5.35, and VPN series firmware versions 5.00 through 5.35, which fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attac…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages23 packages

▶CVEListV5zyxel/usg_flex_series_firmware5.00 through 5.35

▶CVEListV5zyxel/atp_series_firmware5.10 through 5.35

▶CVEListV5zyxel/vpn_series_firmware5.00 through 5.35

▶NVDzyxel/usg_flex_50_firmware5.00 — 5.35

▶NVDzyxel/usg_flex_100_firmware5.00 — 5.35

🔴Vulnerability Details

CVEList

CVE-2023-22916: The configuration parser of Zyxel ATP series firmware versions 5↗2023-04-24

▶

GHSA

GHSA-34w5-49cc-qp8r: The configuration parser of Zyxel ATP series firmware versions 5↗2023-04-24

▶