FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2023-33012

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Published: Jul 17, 2023 / Updated: 16mo ago

010
High Severity
(Estimated)
EPSS 0.05%
CVE info copied to clipboard

Summary

A command injection vulnerability exists in the configuration parser of various Zyxel firewall and WLAN controller products. This vulnerability affects multiple series including ATP, USG FLEX, USG20(W)-VPN, and VPN series with firmware versions ranging from 5.00 to 5.36 Patch 2. The vulnerability allows an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

Impact

If exploited, this vulnerability could allow an attacker to execute arbitrary OS commands on the affected devices. This could potentially lead to unauthorized access, data manipulation, or complete system compromise. Given that the attack can be performed by an unauthenticated user from the LAN, it poses a significant risk to internal network security. The vulnerability is classified as "HIGH" severity, indicating a serious threat that should be prioritized for patching.

Exploitation

One proof-of-concept exploit is available on github.com. Its exploitation has been reported by various sources, including vulncheck.com.

Patch

A patch is available. Zyxel has released security updates to address this vulnerability. The patch details can be found on the Zyxel website at https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers.

Mitigation

1. Update affected devices to the latest firmware version provided by Zyxel. 2. If immediate patching is not possible, consider disabling cloud management mode as the vulnerability is only exploitable when this mode is enabled. 3. Implement strict access controls on the LAN to limit potential attackers' ability to reach vulnerable devices. 4. Monitor system logs for any suspicious activities or unauthorized command executions. 5. Consider implementing network segmentation to isolate vulnerable devices if they cannot be immediately patched.

Timeline

First Article

Feedly found the first article mentioning CVE-2023-33012. See article

Jul 17, 2023 at 6:12 PM / cve.report
Exploitation in the Wild

Attacks in the wild have been reported by VulnCheck Blog. See article

Feb 21, 2024 at 11:36 AM / VulnCheck Blog
Threat Intelligence Report

The vulnerability CVE-2023-33012 affects a wide range of Zyxel firewalls and has been actively exploited in the wild, with approximately 33% of internet-facing firewalls being vulnerable. There are no proof-of-concept exploits available, but Zyxel has released patches to address the issue. Downstream impacts to other third-party vendors or technologies have not been reported. See article

Feb 21, 2024 at 11:36 AM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Jul 3, 2024 at 7:10 PM
Static CVE Timeline Graph

Affected Systems

Zyxel/atp
+null more

Exploits

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zyxel_parse_config_rce.rb
+null more

Patches

www.zyxel.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

28.865
FortiGuard Labs | Internet of Things Intrusion Prevention Service Updates / 2mo
Newly Added (11) Layer5.Meshery.order.SQL.Injection DD-WRT.UPNP.CVE-2021-27137.uuid.Buffer.Overflow WordPress.Quiz.Maker.admin-ajax.SQL.Injection Netis.Devices.user_ok.Buffer.Overflow VMware.Spring.Cloud.Data.Flow.Skipper.Arbitrary.File.Upload Google.Chrome.V8.CVE-2024-1939.Type.Confusion Tananaev.Solutions.Traccar.devices.Arbitrary.File.Upload Apache.HTTP.Server.mod_proxy.apr_uri_parse.DoS Notemark.Editor.CVE-2024-41819.Stored.XSS Google.Chrome.V8.CVE-2024-5274.Type.Confusion LOYTEC.LWEB-802.Preinstalled.Version.Authentication.Bypass Modified (48) MS.Office.EQNEDT32.EXE.Equation.Parsing.Memory.Corruption MS.Office.Word.Mismatched.Style.Memory.Corruption Apache.HugeGraph.Gremlin.Command.Injection Google.Chrome.V8.CVE-2024-4947.Type.Confusion Apache.Tomcat.Chunked.Transfer.DoS Remote.CMD.Shell NextGen.Healthcare.Mirth.Connect.Command.Injection Adobe.Acrobat.CVE-2023-26369.Out-of-Bounds.Write PHP.Malicious.Shell SysAid.On-Premise.Tomcat.Path.Traversal Moment.js.CVE-2022-24785.Path.Traversal Google.Chrome.V8.CVE-2024-4761.Out-of-Bounds.Write Multiple.Vendors.getcfg.php.Information.Disclosure Apache.OFBiz.CVE-2022-25813.createAnonContact.SSTI PyroCMS.CVE-2023-29689.Edit.Role.SSTI MotoCMS.Store.Template.CVE-2023-36210.SSTI Grav.CMS.CVE-2024-28116.Twig.SSTI Magnolia.CMS.CVE-2021-46362.Registration.SSTI Diyhi.bbs.CVE-2021-43097.TemplateManageAction.SSTI Rejetto.HFS.CVE-2024-23692.SSTI Splunk.Enterprise.modules.messaging.Path.Traversal Gotenberg.File.Upload.Path.Traversal Ruijie.RG-BCR860.Network.Diagnostic.Command.Injection Zyxel.NAS.simZysh.setCookie.Code.Injection NUUO.NVR.Devices.Debugging.Center.Command.Injection Stition.AI.Devika.snapshot_path.Path.Traversal TOTOLINK.A3700R.UploadCustomModule.Buffer.Overflow DZS.GPON.ONT.CVE-2019-10677.Stored.XSS TOTOLINK.Devices.getSaveConfig.Buffer.Overflow TOTOLINK.A7000R.loginAuth.Buffer.Overflow TOTOLINK.Devices.setParentalRules.Buffer.Overflow Vodafone.H-500-S.Activation.Information.Disclosure ECOA.Configuration.Download.Information.Disclosure Foscam.R4M.UDTMediaServer.Buffer.Overflow Dahua.Products.NetKeyboard.Authentication.Bypass Dahua.Products.Loopback.Authentication.Bypass TP-Link.ViGi.onvif_discovery.Buffer.Overflow Swissphone.DiCal-RED.4009.fdmcgiwebv2.cgi.Path.Traversal Swissphone.DiCal-RED.4009.fdmcgiwebv2.cgi.Authentication.Bypass Softaculous.Webuzo.fpass.Authentication.Bypass Softaculous.Webuzo.Password.Reset.Command.Injection Softaculous.Webuzo.FTP.Management.Command.Injection Zyxel.VPN.Series.Devices.CVE-2023-33012.Command.Injection Atlassian.Fisheye.Login.Brute.Force Google.Chrome.V8.BuildElementAccess.Type.Confusion Apple.Safari.WebKit.matchAssertionBOL.Out-of-Bounds.Read Google.Chrome.V8.ConstructNewMap.Memory.Corruption Atlassian.Bitbucket.CVE-2022-26133.Remote.Code.Execution
28.859
FortiGuard Labs | Internet of Things Intrusion Prevention Service Updates / 2mo
Newly Added (14) TOTOLINK.A3700R.UploadCustomModule.Buffer.Overflow DZS.GPON.ONT.CVE-2019-10677.Stored.XSS TOTOLINK.Devices.getSaveConfig.Buffer.Overflow TOTOLINK.A7000R.loginAuth.Buffer.Overflow TOTOLINK.Devices.setParentalRules.Buffer.Overflow Vodafone.H-500-S.Activation.Information.Disclosure ECOA.Configuration.Download.Information.Disclosure Zyxel.VPN.Series.Devices.CVE-2023-33012.Command.Injection Atlassian.Fisheye.Login.Brute.Force Google.Chrome.V8.BuildElementAccess.Type.Confusion Apple.Safari.WebKit.matchAssertionBOL.Out-of-Bounds.Read Google.Chrome.V8.ConstructNewMap.Memory.Corruption Atlassian.Bitbucket.CVE-2022-26133.Remote.Code.Execution Zen.Cart.findPluginAdminPage.Local.File.Inclusion Modified (5) Ray.Project.cpu_profile.Code.Injection Anyscale.Ray.entrypoint.Parameter.Command.Injection D-Link.Devices.FormWlanGuestSetup.Buffer.Overflow Pi-Hole.DownloadBlocklistFromUrl.SSRF Raisecom.Gateway.Devices.Base.Config.Command.Injection Removed (1) Malicious.VBA.Downloader
Zyxel parse_config.py Command Injection
The Cyber Post / 4mo
Authored by jheysel-r7 , SSD Secure Disclosure technical team Site metasploit.com This Metasploit module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module’s documentation for more details. advisories CVE-2023-33012 Change Mirror Download ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Zyxel parse_config.py Command Injection', 'Description' => %q{ This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series. The affected firmware versions depend on the device module, see this module's documentation for more details. Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment. If you run into any issues testing this in a real environment we kindly ask you raise an issue in metasploit's github repository:
Metasploit Weekly Wrap-Up 07/05/2024
Cyber Security News - The Reddit of Infosec / 4mo
This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in the MOVEit Transfer SFTP service ( CVE-2024-5806 ). Description: This module exploits an authentication bypass vulnerability in the MOVEit Transfer SFTP service.
Metasploit Weekly Wrap-Up 07/05/2024
IntSights Press Releases / 4mo
This week, our very own sfewer-r7 added a new exploit module that leverages an authentication bypass vulnerability in the MOVEit Transfer SFTP service ( CVE-2024-5806 ). Description: This module exploits an authentication bypass vulnerability in the MOVEit Transfer SFTP service.
See 37 more articles and social media posts

CVSS V3.1

Unknown

Categories

CWE-78(3977)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial