CVE-2023-33012

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-33012
A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:zyxel:zywall_atp100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_atp100:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:zyxel:zywall_atp100w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_atp100w:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:zyxel:zywall_atp200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_atp200:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:zyxel:zywall_atp500_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_atp500:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:zyxel:zywall_atp700_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_atp700:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:zyxel:zywall_atp800_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_atp800:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn100:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn2s_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn2s:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn300:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn50:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn_100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn_100:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn_300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn_300:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND
cpe:2.3:o:zyxel:zywall_vpn_50_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:zyxel:zywall_vpn_50:-:*:*:*:*:*:*:*
Information

Published : 2023-07-17 18:15

Updated : 2023-07-26 21:35

NVD link : CVE-2023-33012

Mitre link : CVE-2023-33012

JSON object : View

Products Affected

zyxel

  • zywall_vpn_50
  • zywall_vpn_300
  • zywall_atp500
  • zywall_vpn_300_firmware
  • usg_flex_50_firmware
  • zywall_atp800
  • usg_flex_50w
  • zywall_vpn_100
  • usg_flex_200
  • zywall_vpn100_firmware
  • zywall_vpn2s_firmware
  • zywall_atp100
  • usg_flex_50
  • usg_20w-vpn
  • usg_2200-vpn
  • zywall_atp100w
  • usg_flex_500_firmware
  • zywall_atp100w_firmware
  • usg_flex_100w
  • zywall_atp700_firmware
  • zywall_atp800_firmware
  • zywall_vpn_100_firmware
  • usg_2200-vpn_firmware
  • zywall_vpn2s
  • zywall_vpn300_firmware
  • zywall_vpn100
  • zywall_vpn_50_firmware
  • zywall_atp200
  • usg_flex_200_firmware
  • usg_flex_500
  • usg_flex_100_firmware
  • usg_flex_700
  • usg_20w-vpn_firmware
  • usg_flex_100
  • usg_flex_50w_firmware
  • zywall_atp100_firmware
  • zywall_atp700
  • zywall_vpn300
  • zywall_vpn50
  • usg_flex_100w_firmware
  • zywall_atp200_firmware
  • usg_flex_700_firmware
  • zywall_atp500_firmware
  • zywall_vpn50_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')