Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could exploit without authentication.
Both security issues are buffer overflows and could allow denial of service (DoS) and remote code execution on vulnerable devices.
“Zyxel has released fixes for firewalls affected by multiple buffer overflow vulnerabilities,” the vendor says in a security consulting. “Users are advised to install them for optimal protection,” the company adds.
Buffer overflow issues allow memory manipulation, allowing attackers to write data beyond the allocated section. They usually lead to system crashes, but in some cases successful exploitation can allow code to execute on the device.
The latest patch from Zyxel resolves the following issues:
- CVE-2023-33009: A buffer overflow vulnerability in the notification feature of certain Zyxel products, allowing an unauthenticated attacker to remotely execute code or impose DoS conditions. (critical severity score of 9.8)
- CVE-2023-33010: A buffer overflow vulnerability in the ID processing feature of certain Zyxel products, allowing an unauthenticated attacker to remotely execute code or impose DoS conditions. (critical severity score of 9.8)
The company claims that the vulnerable devices are running the following firmware:
- Zyxel ATP ZLD Firmware Versions V4.32 to V5.36 Patch 1 (Fixed in ZLD V5.36 Patch 2)
- Zyxel USG FLEX ZLD Firmware Versions V4.50 to V5.36 Patch 1 (Fixed in ZLD V5.36 Patch 2)
- Zyxel USG FLEX50(W) / USG20(W)-VPN ZLD Firmware Versions V4.25 to V5.36 Patch 1 (Fixed in ZLD V5.36 Patch 2)
- Zyxel VPN ZLD Firmware Versions V4.30 to V5.36 Patch 1 (Fixed in ZLD V5.36 Patch 2)
- Zyxel ZyWALL/USG ZLD Firmware Versions V4.25 to V4.73 Patch 1 (Fixed in ZLD V4.73 Patch 2)
The vendor recommends that users of affected products apply the latest security updates as soon as possible to eliminate the risk of hackers exploiting both flaws.
Devices running the vulnerable versions above are used by small and medium businesses to protect their network and enable secure network access (VPN) to remote or home workers.
Threat actors are keeping a close eye on critical flaws affecting these devices, as they could facilitate easy access to corporate networks.
Last week, cybersecurity researcher Kevin Beaumont reported one control injection fault that Zyxel patched in April is being actively exploited and affecting the same firewalls and VPN products as this time.
Last year, CISA issued a warning on hackers exploiting a remote code execution flaw in the Zyxel firewall and VPN devices, urging system administrators to apply firmware patches as soon as possible.