CVE-2023-33010
Published: 24 May 2023
Summary
CVE-2023-33010 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Zyxel Usg Flex 100 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A buffer overflow vulnerability exists in the ID processing function of Zyxel firewalls, tracked as CVE-2023-33010. Affected products include the ATP series running firmware 4.32 through 5.36 Patch 1, USG FLEX series 4.50 through 5.36 Patch 1, USG FLEX 50(W) 4.25 through 5.36 Patch 1, USG20(W)-VPN 4.25 through 5.36 Patch 1, VPN series 4.30 through 5.36 Patch 1, and ZyWALL/USG series 4.25 through 4.73 Patch 1. The flaw is classified under CWE-120 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker can exploit the issue remotely over the network without user interaction to trigger denial-of-service conditions or achieve remote code execution on the device.
Zyxel has published a security advisory detailing the buffer overflow issues across its firewall lineup and directing customers to apply the listed firmware patches. The CVE also appears in CISA’s Known Exploited Vulnerabilities catalog.
The associated EPSS score remains flat at 0.0732 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37199
Vulnerability details
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1,…
more
USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
- CWE(s)
- KEV Date Added
- 05 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input to the ID processing function, preventing the crafted payload that triggers the CWE-120 buffer overflow.
Mandates timely application of vendor patches that remediate the buffer overflow in the listed Zyxel firmware versions.
Requires memory-protection mechanisms that can block successful exploitation of the overflow for remote code execution or DoS.