CVE-2023-28771
CRITICALCISA KEVEPSS 100th pctlDescription
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploit Intelligence
Very high risk: more likely to be exploited than 100% of all known CVEs.
Zyxel Multiple Firewalls OS Command Injection Vulnerability
Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device.
Apply updates per vendor instructions.
Remediation due: 2023-06-21
References
- http://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html
- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28771
Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-10-27.