Unrated severityCISA KEVNVD Advisory· Published Apr 25, 2023· Updated Oct 21, 2025

CVE-2023-28771

Description

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

Affected products

Zyxel/ZyWALL/USG series firmwarev5
Range: 4.60 through 4.73
Zyxel/VPN series firmwarev5
Range: 4.60 through 5.35
Zyxel/USG FLEX series firmwarev5
Range: 4.60 through 5.35
Zyxel/ATP series firmwarev5
Range: 4.60 through 5.35

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.htmlmitre
www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewallsmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000