CVE-2023-33009

CRITICAL KEV

Zyxel Atp100 Firmware < 5.36 - Buffer Overflow

Title source: rule

Description

A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

References (2)

[Vendor Advisory] https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-33009

Scores

CVSS v3 9.8

EPSS 0.0617

EPSS Percentile 90.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-06-05

VulnCheck KEV 2023-06-05

InTheWild.io 2023-06-05

ENISA EUVD EUVD-2023-37198

CWE

CWE-120

Status published

Products (33)

zyxel/atp100_firmware 5.36 (2 CPE variants)

zyxel/atp100_firmware 4.60 - 5.36

zyxel/atp100w_firmware 5.36 (2 CPE variants)

zyxel/atp100w_firmware 4.60 - 5.36

zyxel/atp200_firmware 5.36 (2 CPE variants)

zyxel/atp200_firmware 4.60 - 5.36

zyxel/atp500_firmware 5.36 (2 CPE variants)

zyxel/atp500_firmware 4.60 - 5.36

zyxel/atp700_firmware 5.36 (2 CPE variants)

zyxel/atp700_firmware 4.60 - 5.36

... and 23 more

Published May 24, 2023

KEV Added Jun 05, 2023

Tracked Since Feb 18, 2026