⚠ Actively exploited

Added to CISA KEV on 2023-06-05. Federal agencies required to patch by 2023-06-26. Required action: Apply updates per vendor instructions..

CVE-2023-33009

CWE-120 — Classic Buffer Overflow5 documents5 sources

Severity

9.8CRITICAL

EPSS

6.2%

top 9.16%

CISA KEV

KEV

Added 2023-06-05

Due 2023-06-26

Exploit

Exploited in wild

Active exploitation observed

Affected products

Zyxel Atp100 Firmware Zyxel Atp100w Firmware Zyxel Atp200 Firmware +26 more

Timeline

PublishedMay 24

KEV addedJun 5

KEV dueJun 26

CISA Required Action: Apply updates per vendor instructions.

Description

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) con…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages29 packages

▶CVEListV5zyxel/usg_flex_series_firmware4.60 through 5.36 Patch 1

▶CVEListV5zyxel/zywall/usg_series_firmware4.60 through 4.73 Patch 1

▶CVEListV5zyxel/atp_series_firmware4.60 through 5.36 Patch 1

▶CVEListV5zyxel/vpn_series_firmware4.60 through 5.36 Patch 1

▶NVDzyxel/usg_flex_50_firmware4.60 — 5.36+1

🔴Vulnerability Details

CVEList

CVE-2023-33009: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4↗2023-05-24

▶

GHSA

GHSA-g3f9-6h7x-x69v: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4↗2023-05-24

▶

VulnCheck

Zyxel Multiple Firewalls Buffer Overflow Vulnerability↗2023

▶

📋Vendor Advisories

CISA

Zyxel Multiple Firewalls Buffer Overflow Vulnerability↗2023-06-05

▶