Unrated severityNVD Advisory· Published Apr 24, 2023· Updated Feb 12, 2025

CVE-2023-22913

Description

A post-authentication command injection vulnerability in the “account_operator.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker to modify device configuration data, resulting in denial-of-service (DoS) conditions on an affected device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A post-authentication command injection in Zyxel USG FLEX/VPN series firmware (4.30-5.35) via account_operator.cgi allows remote authenticated attackers to cause denial-of-service.

Vulnerability

A post-authentication command injection vulnerability exists in the account_operator.cgi CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35 [1]. The vulnerability allows a remote authenticated attacker to inject arbitrary commands, which can be leveraged to modify device configuration data [1].

Exploitation

An attacker must have valid authentication credentials and network access to the device's management interface. WAN access is disabled by default, so the attacker typically needs to be on a local network or have VPN access [1]. The attacker sends a crafted HTTP request to the account_operator.cgi endpoint with malicious command injection payloads [1].

Impact

Successful exploitation enables the attacker to modify device configuration data, leading to denial-of-service (DoS) conditions on the affected device [1]. The device may become unresponsive or lose connectivity, disrupting normal operations [1].

Mitigation

Zyxel has released firmware updates to address this vulnerability. Users should upgrade to the latest firmware version as specified in the security advisory [1]. No workarounds are documented; enabling only trusted management access and restricting network exposure can reduce risk.

References

Zyxel security advisory for multiple vulnerabilities of firewalls and APs | Zyxel Networks

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Zyxel/USG FLEXllm-fuzzy
Range: 4.50 through 5.35
Zyxel/VPN seriesllm-fuzzy2 versions
4.30 through 5.35+ 1 more
- (no CPE)range: 4.30 through 5.35
- (no CPE)range: 4.30 through 5.35
Zyxel/USG FLEX seriescpe-rescue
Range: 4.50 through 5.35

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-apsmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000