Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication.
Both security issues are buffer overflows and could allow denial-of-service (DoS) and remote code execution on vulnerable devices.
“Zyxel has released patches for firewalls affected by multiple buffer overflow vulnerabilities,” the vendor says in a security advisory. “Users are advised to install them for optimal protection,” the company adds.
Buffer overflow issues allow memory manipulation, enabling attackers to write data beyond the allocated section. They typically lead to system crashes but in some cases successful exploitation can allow code execution on the device.
Zyxel’s latest patch addresses the following problems:
- CVE-2023-33009: A buffer overflow vulnerability in the notification function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)
- CVE-2023-33010: A buffer overflow vulnerability in the ID processing function in some Zyxel products, allowing an unauthenticated attacker to perform remote code execution or impose DoS conditions. (critical severity score of 9.8)
The company says that vulnerable devices are running the following firmware:
- Zyxel ATP firmware versions ZLD V4.32 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
- Zyxel USG FLEX firmware versions ZLD V4.50 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
- Zyxel USG FLEX50(W) / USG20(W)-VPN firmware versions ZLD V4.25 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
- Zyxel VPN firmware versions ZLD V4.30 to V5.36 Patch 1 (fixed in ZLD V5.36 Patch 2)
- Zyxel ZyWALL/USG firmware versions ZLD V4.25 to V4.73 Patch 1 (fixed in ZLD V4.73 Patch 2)
The vendor recommends users of the impacted products apply the newest security updates as soon as possible to eliminate the risk of hackers exploiting the two flaws.
Devices running the vulnerable versions above are used by small to medium-size businesses to protect their network and to allow secure network access (VPNs) to remote or home-based workers.
Threat actors keep a watchful eye on any critical flaws that impact such devices as they could facilitate easy access to corporate networks.
Last week, cybersecurity researcher Kevin Beaumont reported that a command injection flaw that Zyxel fixed in April is actively exploited and it impacts the same firewall and VPN products as this time.
Last year, CISA published a warning about hackers leveraging a remote code execution flaw in Zyxel firewall and VPN devices, urging system administrators to apply the firmware patches as soon as possible.