CVE-2023-34139

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGH

EPSS

0.2%

top 59.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel USG 2200-vpn Firmware Zyxel USG Flex 100 Firmware Zyxel USG Flex 100w Firmware +14 more

Timeline

PublishedJul 17

Description

A command injection vulnerability in the Free Time WiFi hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2 and VPN series firmware versions 4.20 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages17 packages

▶CVEListV5zyxel/usg_flex_series_firmware4.50 through 5.36 Patch 2

▶CVEListV5zyxel/vpn_series_firmware4.20 through 5.36 Patch 2

▶NVDzyxel/usg_flex_50_firmware4.50 — 5.37

▶NVDzyxel/usg_flex_100_firmware4.50 — 5.37

▶NVDzyxel/usg_flex_200_firmware4.50 — 5.37

🔴Vulnerability Details

CVEList

CVE-2023-34139: A command injection vulnerability in the Free Time WiFi hotspot feature of the Zyxel USG FLEX series firmware versions 4↗2023-07-17

▶

GHSA

GHSA-xjxm-x67w-v3c7: A command injection vulnerability in the Free Time WiFi hotspot feature of in the Zyxel USG FLEX series firmware versions 4↗2023-07-17

▶