A command injection vulnerability in the Free Time WiFi hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2 and VPN series firmware versions 4.20 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device.
References
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
Configuration 13 (hide)
AND |
|
Configuration 14 (hide)
AND |
|
Configuration 15 (hide)
AND |
|
History
26 Jul 2023, 21:30
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-78 | |
References | (MISC) https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers - Vendor Advisory | |
CPE | cpe:2.3:h:zyxel:zywall_vpn100:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:zywall_vpn300:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn_300_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:zywall_vpn2s:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn100_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn300_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:zywall_vpn_50:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn2s_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn_50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn50_firmware:*:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:zywall_vpn50:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:zywall_vpn_300:-:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:zywall_vpn_100:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:zywall_vpn_100_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:* cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:* |
|
First Time |
Zyxel zywall Vpn 50
Zyxel usg Flex 100w Firmware Zyxel usg Flex 50 Firmware Zyxel zywall Vpn 100 Firmware Zyxel zywall Vpn 100 Zyxel usg Flex 100 Zyxel usg Flex 50w Firmware Zyxel usg 2200-vpn Firmware Zyxel usg Flex 500 Zyxel zywall Vpn 300 Firmware Zyxel usg Flex 50w Zyxel usg Flex 700 Firmware Zyxel zywall Vpn50 Zyxel usg 2200-vpn Zyxel zywall Vpn2s Zyxel zywall Vpn300 Firmware Zyxel zywall Vpn50 Firmware Zyxel zywall Vpn2s Firmware Zyxel usg Flex 200 Firmware Zyxel usg Flex 500 Firmware Zyxel zywall Vpn 50 Firmware Zyxel usg Flex 200 Zyxel zywall Vpn100 Firmware Zyxel Zyxel usg Flex 700 Zyxel zywall Vpn 300 Zyxel usg Flex 100 Firmware Zyxel usg Flex 50 Zyxel usg Flex 100w Zyxel zywall Vpn300 Zyxel zywall Vpn100 |
18 Jul 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
Summary | A command injection vulnerability in the Free Time WiFi hotspot feature of the Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2 and VPN series firmware versions 4.20 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands on an affected device. |
17 Jul 2023, 18:58
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-17 18:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-34139
Mitre link : CVE-2023-34139
CVE.ORG link : CVE-2023-34139
JSON object : View
Products Affected
zyxel
- zywall_vpn2s
- zywall_vpn300_firmware
- usg_flex_100w_firmware
- usg_flex_50
- zywall_vpn50_firmware
- zywall_vpn_50
- usg_flex_700
- zywall_vpn_100_firmware
- usg_flex_50_firmware
- usg_flex_200_firmware
- usg_2200-vpn
- zywall_vpn2s_firmware
- usg_flex_50w_firmware
- usg_flex_200
- zywall_vpn300
- zywall_vpn_300_firmware
- zywall_vpn_300
- usg_flex_50w
- usg_flex_500
- usg_2200-vpn_firmware
- zywall_vpn100_firmware
- zywall_vpn50
- usg_flex_100_firmware
- usg_flex_500_firmware
- zywall_vpn_50_firmware
- zywall_vpn_100
- usg_flex_100w
- usg_flex_100
- zywall_vpn100
- usg_flex_700_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')