CVE-2023-34138 HIGH

CVE-2023-34138

Vendor Zyxel

Product ATP series firmware

Weakness CWE-78

Published July 17, 2023

Last update October 30, 2024

View on NVD All CVEs

CVSS base score

8.0/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A command injection vulnerability in the hotspot management feature of the Zyxel ATP series firmware versions 4.60 through 5.36 Patch 2, USG FLEX series firmware versions 4.60 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 4.60 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 4.60 through 5.36 Patch 2, and VPN series firmware versions 4.60 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device if the attacker could trick an authorized administrator to add their IP address to the list of trusted RADIUS clients in advance.

Key dates

02Disclosure timeline

July 17, 2023 CVE published

October 30, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-34138

Related vulnerabilities

Identifiers

CVE CVE-2023-34138

CWE CWE-78

CVSS 8.0 / HIGH