CVE-2023-34139

Vulnerability

A command injection vulnerability exists in the Free Time WiFi hotspot feature of Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 2 and VPN series firmware versions 4.20 through 5.36 Patch 2 [1]. The vulnerability allows an unauthenticated, LAN-based attacker to execute arbitrary OS commands on the affected device via the hotspot feature, without requiring any special configuration or authentication [1].

Exploitation

An attacker must be on the same local network as the vulnerable device [1]. No authentication is required, and the attacker can directly send crafted input to the Free Time WiFi hotspot functionality to trigger command injection [1]. The steps involve leveraging the hotspot feature to inject commands into the system, which are then executed by the device's operating system [1].

Impact

Successful exploitation allows an unauthenticated, LAN-based attacker to execute arbitrary OS commands on the affected device [1]. This could lead to full compromise of the firewall, including data exfiltration, further network penetration, and potential denial of service [1]. The attack does not require any user interaction or prior access privileges [1].

Mitigation

Zyxel has released patched firmware versions for the affected series [1]. Users are advised to update to the latest firmware versions available from Zyxel's security advisory to mitigate the vulnerability [1]. No workarounds have been provided, and the vulnerability is not known to be listed in the CISA KEV [1].