DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls
|Case lead||Ralph Horn|
|Product||Zyxel ZyWALL/USG, Zyxel VPN, Zyxel USG FLEX and Zyxel ATP|
|Recommendation||If you have a vulnerable Zyxel product, update to the latest version.|
|Last modified||20 May 2023 13:44|
Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
What you can do
If the product is still under support, update to the latest version. For ZyWALL/USG this is version ZLD V4.73 Patch 1 and all other products this is version ZLD V5.36.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding Zyxel instances and checking their version and product name. The notificaiton will be sent to the party responsible for the ip address according to the whois database.
|28 Apr 2023||DIVD starts researching fingerprint.|
|29 Apr 2023||Fingerprint found.|
|03 May 2023||DIVD starts researching a way to identify Zyxel devices.|
|10 May 2023||DIVD starts scanning the internet for vulnerable instances.|
gantt title DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls (still open) :2023-04-28, 2023-06-10 section Events DIVD starts researching fingerprint. : milestone, 2023-04-28, 0d Fingerprint found. : milestone, 2023-04-29, 0d DIVD starts researching a way to identify Zyxel devices. : milestone, 2023-05-03, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2023-05-10, 0d