Zyxel Firewall Vulnerability lets Attackers Inject OS Commands

No longer too prolonged within the past, Zyxel, the networking equipment manufacturer, has issued well-known security patches for its firewall units to repair a vulnerability allowing RCE on the affected systems.

This RCE vulnerability, tracked as “CVE-2023-28771,” used to be figured out by TRAPA Safety, and on the CVSS scoring machine, it has been rated 9.8 with a “Serious” severity designate.

Products Affected

Right here below, we accept as true with talked about the products which might perhaps be impacted by this flaw:-

• ATP (Affected versions: ZLD V4.60 to V5.35, Patched model: ZLD V5.36)
• USG FLEX (Affected versions: ZLD V4.60 to V5.35, Patched model: ZLD V5.36)
• VPN (Affected versions: ZLD V4.60 to V5.35, Patched model: ZLD V5.36)
• ZyWALL/USG (Affected versions: ZLD V4.60 to V4.73, Patched model: ZLD V4.73 Patch 1)

By exploiting this vulnerability, unauthenticated attackers can attain OS instructions on an affected tool by sending specially crafted packets attributable to harmful error message facing in sure firewall versions.

Furthermore, Zyxel has addressed one medium-severity bug and 5 high-severity vulnerabilities that impression multiple firewalls and get entry to point units.

While these vulnerabilities might perhaps perhaps merely close up within the activation of code execution and DoS eventualities.

The credit for reporting the points has been given to Nikita Abramov of Sure Technologies, a cybersecurity company essentially essentially based mostly in Russia.

Additionally, Zyxel urged customers to contact their local carrier salvage or consult with Zyxel’s Community for extra knowledge or support.