This week, Zyxel, a Taiwanese manufacturer of network equipment, released patches for a critical vulnerability affecting its ATP, USG FLEX, VPN, and ZyWALL/USG firewalls. The security flaw, identified as CVE-2023-28771, can be remotely exploited to run OS commands.
According to Zyxel’s advisory, “poor error message handling in some firewall versions could allow an unauthenticated attacker to remotely execute some OS commands by sending crafted packets to an affected device.” ATP, USG FLEX, and VPN firewall firmware updates also fix a serious command injection problem.