CVE-2023-33010

CRITICAL KEV

Zyxel ATP/USG FLEX/USG20/VPN/ZyWALL Firmware 4.25-5.36 - Unauthenticated Buffer Overflow in ID Processing Function

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-33010 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 5, 2023.

Description

A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0732
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-06-05
VulnCheck KEV 2023-06-05
InTheWild.io 2023-06-05
ENISA EUVD EUVD-2023-37199
CWE
CWE-120
Status published
Products (32)
zyxel/atp100_firmware 5.36 (2 CPE variants)
zyxel/atp100_firmware 4.32 - 5.36
zyxel/atp100w_firmware 5.36 (2 CPE variants)
zyxel/atp100w_firmware 4.32 - 5.36
zyxel/atp200_firmware 5.36 (2 CPE variants)
zyxel/atp200_firmware 4.32 - 5.36
zyxel/atp500_firmware 5.36 (2 CPE variants)
zyxel/atp500_firmware 4.32 - 5.36
zyxel/atp700_firmware 5.36 (2 CPE variants)
zyxel/atp700_firmware 4.32 - 5.36
... and 22 more
Published May 24, 2023
KEV Added Jun 05, 2023
Tracked Since Feb 18, 2026