Unrated severityNVD Advisory· Published Nov 28, 2023· Updated Jun 5, 2025

CVE-2023-35136

Description

An improper input validation vulnerability in the “Quagga” package of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to access configuration files on an affected device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper input validation in Zyxel firewall Quagga package allows authenticated local attacker to access configuration files.

Vulnerability

An improper input validation vulnerability exists in the "Quagga" package of Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37. The bug occurs when the affected device processes certain inputs without proper validation, enabling an authenticated local attacker to access configuration files. [1]

Exploitation

An attacker must have local, authenticated access to the affected device. No special privileges beyond initial authentication are required; the attacker can then exploit the improper input validation to read configuration files that should be restricted. [1]

Impact

Successful exploitation allows the attacker to read configuration files on the device, leading to information disclosure of sensitive settings and potentially further compromise. The attacker does not gain code execution or privilege escalation directly from this vulnerability. [1]

Mitigation

Zyxel released patches addressing this vulnerability in firmware versions after 5.37 for the affected series. Users are advised to update to the latest firmware available from Zyxel's support site. No workaround is provided; installing the patch is the recommended mitigation. [1]

References

Zyxel security advisory for multiple vulnerabilities in firewalls and APs | Zyxel Networks

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Quagga (software)/Quaggallm-fuzzy
Zyxel/ATP seriescpe-rescue
Range: versions 4.32 through 5.37
Zyxel/USG20(W)-VPN seriescpe-rescue
Range: versions 4.16 through 5.37
Zyxel/USG FLEX seriescpe-rescue2 versions
versions 4.16 through 5.37+ 1 more
- (no CPE)range: versions 4.16 through 5.37
- (no CPE)range: versions 4.50 through 5.37
Zyxel/VPN seriescpe-rescue
Range: versions 4.30 through 5.37

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-apsmitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000