CVE-2023-33012

HIGH

Zyxel USG/ATP/VPN Firmware 5.00-5.36 Patch 2 - Unauthenticated OS Command Injection via GRE Configuration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-33012. PoCs published by SSD Secure Disclosure technical team, jheysel-r7, including Metasploit module exploits/linux/http/zyxel_parse_config_rce.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Zyxel devices (CVE-2023-33012) by leveraging arbitrary file write and command injection in the `parse_config.py` endpoint. It uploads a payload via a QSR file and executes it to achieve remote code execution.

Description

A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.

Exploits (1)

metasploit WORKING POC NORMAL

by SSD Secure Disclosure technical team, jheysel-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zyxel_parse_config_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Zyxel devices (CVE-2023-33012) by leveraging arbitrary file write and command injection in the `parse_config.py` endpoint. It uploads a payload via a QSR file and executes it to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zyxel VPN, USG, and ATP series devices with firmware versions between 5.00 and 5.36.2

No auth needed

Prerequisites: Network access to the target device · Vulnerable Zyxel device with affected firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers

Scores

CVSS v3 8.8

EPSS 0.1014

EPSS Percentile 95.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (22)

zyxel/usg_20w-vpn_firmware 5.10 - 5.37

zyxel/usg_2200-vpn_firmware 5.00 - 5.37

zyxel/usg_flex_100_firmware 5.00 - 5.37

zyxel/usg_flex_100w_firmware 5.00 - 5.37

zyxel/usg_flex_200_firmware 5.00 - 5.37

zyxel/usg_flex_500_firmware 5.00 - 5.37

zyxel/usg_flex_50_firmware 5.00 - 5.37

zyxel/usg_flex_50w_firmware 5.00 - 5.37

zyxel/usg_flex_700_firmware 5.00 - 5.37

zyxel/zywall_atp100_firmware 5.10 - 5.37

... and 12 more

Published Jul 17, 2023

Tracked Since Feb 18, 2026