#VU86621 OS Command Injection in ZyXEL Communications Corp. products - CVE-2023-6398
Published: February 20, 2024
Vulnerability identifier: #VU86621
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-6398
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ATP series
USG FLEX series
USG FLEX 50W
USG20W-VPN
NWA110AX
NWA210AX
NWA1123ACv3
WAC500
WAC500H
WAX510D
WAX610D
WAX650S
NWA50AX-PRO
NWA90AX-PRO
NWA50AX
NWA55AXE
NWA90AX
NWA220AX-6E
WAX300H
WAX620D-6E
WAX630S
WAX640S-6E
WAX655E
WBE660S
ATP series
USG FLEX series
USG FLEX 50W
USG20W-VPN
NWA110AX
NWA210AX
NWA1123ACv3
WAC500
WAC500H
WAX510D
WAX610D
WAX650S
NWA50AX-PRO
NWA90AX-PRO
NWA50AX
NWA55AXE
NWA90AX
NWA220AX-6E
WAX300H
WAX620D-6E
WAX630S
WAX640S-6E
WAX655E
WBE660S
Software vendor:
ZyXEL Communications Corp.
ZyXEL Communications Corp.
Description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the file upload binary. A remote administrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install updates from vendor's website.