CVE-2023-22918: A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware…

medium6.5CVSS 3.1

AVNACLPRLUINSUCHINAN

A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device.

Affected

56 ranges· showing 25

Vendor	Product	Version range	Fixed in
zyxel	atp100_firmware	>= 4.32 < 5.36	5.36
zyxel	atp100w_firmware	>= 4.32 < 5.36	5.36
zyxel	atp200_firmware	>= 4.32 < 5.36	5.36
zyxel	atp500_firmware	>= 4.32 < 5.36	5.36
zyxel	atp700_firmware	>= 4.32 < 5.36	5.36
zyxel	atp800_firmware	>= 4.32 < 5.36	5.36
zyxel	atp_series_firmware	—	—
zyxel	nap203_firmware	<= 6.28\(abfa.0\)	—
zyxel	nap303_firmware	<= 6.28\(abex.0\)	—
zyxel	nap353_firmware	<= 6.28\(abey.0\)	—
zyxel	nwa110ax_firmware	<= 6.50\(abtg.2\)	—
zyxel	nwa1123-ac-pro_firmware	<= 6.28\(abhd.0\)	—
zyxel	nwa1123-ac_hd_firmware	<= 6.25\(abin.9\)	—
zyxel	nwa1123acv3_firmware	<= 6.50\(abvt.0\)	—
zyxel	nwa210ax_firmware	<= 6.50\(abtd.2\)	—
zyxel	nwa220ax-6e_firmware	<= 6.50\(acco.2\)	—
zyxel	nwa50ax-pro_firmware	<= 6.50\(acge.0\)	—
zyxel	nwa50ax_firmware	<= 6.55\(acge.1\)	—
zyxel	nwa5123-ac_hd_firmware	<= 6.25\(abim.9\)	—
zyxel	nwa55axe_firmware	<= 6.29\(abzl.1\)	—
zyxel	nwa90ax-pro_firmware	<= 6.50\(acgf.0\)	—
zyxel	nwa90ax_firmware	<= 6.29\(accv.1\)	—
zyxel	usg20-vpn_firmware	>= 4.30 < 5.36	5.36
zyxel	usg20_vpn_firmware	—	—
zyxel	usg_20w-vpn_firmware	>= 4.16 < 5.36	5.36