CVE-2023-33012 HIGH

CVE-2023-33012

Vendor Zyxel

Product ATP series firmware

Weakness CWE-78

Published July 17, 2023

Last update March 5, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

Key dates

02Disclosure timeline

July 17, 2023 CVE published

March 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-33012 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2023-33012

CWE CWE-78

CVSS 8.8 / HIGH

Affected versions

Vendor Zyxel

Product ATP series firmware

Affected 5.10 through 5.36 Patch 2

Vendor Zyxel

Product USG FLEX series firmware

Affected 5.00 through 5.36 Patch 2

Vendor Zyxel

Product USG FLEX 50(W) series firmware

Affected 5.10 through 5.36 Patch 2

Vendor Zyxel

Product USG20(W)-VPN series firmware

Affected 5.10 through 5.36 Patch 2

Vendor Zyxel

Product VPN series firmware

Affected 5.00 through 5.36 Patch 2

CVE-2023-33012

01Description

02Disclosure timeline

03References

04Related CVE