Zyxell has released a security advisory for multiple buffer overflow vulnerabilities. Exploitation of these vulnerabilities could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on the affected Zyxell firewalls.
Affected users should patch as a matter of urgency, and we urge you not to expose the management interfaces of network edge devices to the Internet, in order to reduce their attack surface.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:
CVE-2023-33009: A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1.
CVE-2023-33010: Another buffer overflow vulnerability in the ID processing function in the same Zyxel firmware versions.
A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.
Both vulnerabilities received a CVSS score of 9.8 out of 10. In case that isn’t enough reason for you to act urgently, it is worth remembering that it only took four days for the first active exploitation to take place after Zyxel patched CVE-2022-30525 last year.
The security advisory lists the vulnerable firewall series that are within their vulnerability support period:
- ATP versions ZLD V4.32 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
- USG FLEX versions ZLD V4.50 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
- USG FLEX50(W) / USG20(W)-VPN versions ZLD V4.25 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
- VPN versions ZLD V4.30 to V5.36 Patch 1 are covered by ZLD V5.36 Patch 2.
- ZyWALL/USG versions ZLD V4.25 to V4.73 Patch 1 are covered by ZLD V4.73 Patch 2.
How to install updates
Login to your ZLD appliance and go to Configuration → Licensing → Registration → Service and click the Service License Refresh button. This must be done before you can access your myZyxel account to download new firmware patches. This will sync necessary info with the myZyxel server (info like running firmware version, MAC Address, S/N, etc.).
Open an internet browser and go to URL: https://portal.myzyxel.com/ and login to your account.
Once in your account dashboard, find the ZLD router you wish to download firmware for and click on the Download button under the “Firmware Update” column.
Once downloaded, there may be up to four ways you can update the firmware, you can update the firmware manually via the Web GUI, you can FTP into the router and upload the firmware, you can utilize the Automatic Cloud Firmware update feature introduced on firmware version 4.25, or upgrade via USB flash drive.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.