Critical Vulnerabilities in Zyxel Firewall and VPN Products

Zyxel has released software updates to address two critical vulnerabilities (CVE-2023-33009 and CVE-2023-33010) affecting their firewall and VPN products. The vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The vulnerabilities are:

• CVE-2023-33009 - A buffer overflow vulnerability in the notification function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and allow remote code execution.
• CVE-2023-33010 - A buffer overflow vulnerability in the ID processing function that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and allow remote code execution.

The vulnerabilities affect the following products:

• ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)

Users and administrators of affected products are advised to update to the latest versions immediately.