Cyber Resilience

CVE-2023-33009

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 24 May 2023

Published
24 May 2023
Modified
26 February 2026
KEV Added
05 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0558 90.5th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33009 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Zyxel Atp100 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A buffer overflow vulnerability exists in the notification function of multiple Zyxel firewall product lines. Affected devices include ATP series, USG FLEX series, USG FLEX 50(W), USG20(W)-VPN, VPN series running firmware 4.60 through 5.36 Patch 1, and ZyWALL/USG series running 4.60 through 4.73 Patch 1. The flaw is tracked as CWE-120 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker can send specially crafted network traffic to the affected notification function, triggering the overflow. Successful exploitation yields denial-of-service conditions and potential remote code execution on the device without requiring user interaction or credentials.

Zyxel has published a security advisory detailing the buffer overflow issues and directing customers to apply the fixed firmware versions listed in the advisory. The vulnerability also appears in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity.

EPSS scores have remained modest, with a recorded peak of 0.0617 and a current value of 0.0558.

EU & UK References

Vulnerability details

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN…

more

firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

CWE(s)
KEV Date Added
05 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
atp100 firmware
5.36 · 4.60 — 5.36
zyxel
atp200 firmware
5.36 · 4.60 — 5.36
zyxel
atp500 firmware
5.36 · 4.60 — 5.36
zyxel
atp100w firmware
5.36 · 4.60 — 5.36
zyxel
atp700 firmware
5.36 · 4.60 — 5.36
zyxel
atp800 firmware
5.36 · 4.60 — 5.36
zyxel
usg flex 100 firmware
5.36 · 4.60 — 5.36
zyxel
usg flex 50 firmware
5.36 · 4.60 — 5.36
zyxel
usg flex 200 firmware
5.36 · 4.60 — 5.36
zyxel
usg flex 500 firmware
5.36 · 4.60 — 5.36
+13 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the buffer overflow in the notification function across all listed Zyxel firmware versions.

prevent

Mandates validation of all input to the notification function, blocking the specially crafted payloads that trigger the CWE-120 overflow from unauthenticated network sources.

prevent

Requires memory-protection mechanisms that can prevent successful exploitation of the overflow for remote code execution even if input validation fails.

References