Zyxel, has released patches for a critical security flaw in its firewall devices. The flaw, known as CVE-2023-28771 and rated 9.8 on the CVSS scoring system, could be exploited by an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to affected device.
The impacted products include ATP, USG FLEX, VPN, and ZyWALL/USG, which had versions ZLD V4.60 to V5.35 or ZLD V4.60 to V4.73. Zyxel has already provided patches for these vulnerabilities, with the affected versions being fixed in ZLD V5.36, ZLD V4.73 Patch 1, respectively.
In addition to CVE-2023-28771, Zyxel has also addressed another high-severity post-authentication command injection vulnerability (CVE-2023-27991, CVSS score: 8.8) that could allow an authenticated attacker to execute some OS commands remotely. Malawi CERT recommends that users of affected Zyxel products update their devices as soon as possible to ensure protection against these vulnerabilities.