CVE-2023-6398

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.2HIGH

EPSS

0.7%

top 27.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zyxel Nwa50ax Firmware Zyxel Wac500 Firmware Zyxel Wax300h Firmware +44 more

Timeline

PublishedFeb 20

Description

A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1, NWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages51 packages

▶CVEListV5zyxel/usg_flex_series_firmwareversion 4.50 through 5.37 Patch 1

▶CVEListV5zyxel/usg_flex_h_series_firmwareversion 1.10 through 1.10 Patch 1

▶CVEListV5zyxel/usg_flex_50(w)_series_firmware version 4.16 through 5.37 Patch 1

▶CVEListV5zyxel/usg20(w)-vpn_series_firmwareversion 4.16 through 5.37 Patch 1

▶CVEListV5zyxel/atp_series_firmwareversion 4.32 through 5.37 Patch 1

🔴Vulnerability Details

CVEList

CVE-2023-6398: A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4↗2024-02-20

▶

GHSA

GHSA-p6jh-65c7-8r26: A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4↗2024-02-20

▶