CVE-2023-33010: A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

KEVITW

CISA Known Exploited Vulnerabilitydue 2023-06-26

Exploited in the wild

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

Affected

49 ranges· showing 25

Vendor	Product	Version range	Fixed in
zyxel	atp100_firmware	—	—
zyxel	atp100_firmware	>= 4.32 < 5.36	5.36
zyxel	atp100w_firmware	—	—
zyxel	atp100w_firmware	>= 4.32 < 5.36	5.36
zyxel	atp200_firmware	—	—
zyxel	atp200_firmware	>= 4.32 < 5.36	5.36
zyxel	atp500_firmware	—	—
zyxel	atp500_firmware	>= 4.32 < 5.36	5.36
zyxel	atp700_firmware	—	—
zyxel	atp700_firmware	>= 4.32 < 5.36	5.36
zyxel	atp800_firmware	—	—
zyxel	atp800_firmware	>= 4.32 < 5.36	5.36
zyxel	atp_series_firmware	—	—
zyxel	usg20-vpn_firmware	—	—
zyxel	usg20-vpn_firmware	>= 4.30 < 5.36	5.36
zyxel	usg20_vpn_firmware	—	—
zyxel	usg_20w-vpn_firmware	—	—
zyxel	usg_40_firmware	—	—
zyxel	usg_40_firmware	>= 4.25 < 4.73	4.73
zyxel	usg_40w_firmware	—	—
zyxel	usg_40w_firmware	>= 4.25 < 4.73	4.73
zyxel	usg_60_firmware	—	—
zyxel	usg_60_firmware	>= 4.25 < 4.73	4.73
zyxel	usg_60w_firmware	—	—
zyxel	usg_60w_firmware	>= 4.25 < 4.73	4.73

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vulncheck9.8CRITICAL

cisa9.8CRITICAL