Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for uos by zyxel

    CVE-2025-1732 (GCVE-0-2025-1732)

    Vulnerability from nvd – Published: 2025-04-22 01:57 – Updated: 2026-02-26 18:28
    VLAI
    Summary
    An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1732",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T03:56:06.880791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:08.391Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series uOS firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= V1.31"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device."
                }
              ],
              "value": "An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T07:05:39.793Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2025-1732",
        "datePublished": "2025-04-22T01:57:35.395Z",
        "dateReserved": "2025-02-27T03:13:45.776Z",
        "dateUpdated": "2026-02-26T18:28:08.391Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1731 (GCVE-0-2025-1731)

    Vulnerability from nvd – Published: 2025-04-22 01:52 – Updated: 2026-02-26 18:28
    VLAI
    Summary
    An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Zyxel USG FLEX H series uOS firmware Affected: from V1.20 through V1.31
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1731",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-02T03:55:18.303921Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:09.056Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-24T06:04:04.291Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://seclists.org/fulldisclosure/2025/Apr/27"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series uOS firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "from V1.20 through V1.31"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid."
                }
              ],
              "value": "An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T07:06:19.271Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2025-1731",
        "datePublished": "2025-04-22T01:52:04.064Z",
        "dateReserved": "2025-02-27T03:13:40.559Z",
        "dateUpdated": "2026-02-26T18:28:09.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9677 (GCVE-0-2024-9677)

    Vulnerability from nvd – Published: 2024-10-22 01:19 – Updated: 2024-10-22 15:52
    VLAI
    Summary
    The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zyxel USG FLEX H series uOS firmware Affected: <= V1.21
    Create a notification for this product.
    zyxel usg_flex_700h_firmware Affected: 0 , ≤ 1.21 (custom)
        cpe:2.3:o:zyxel:usg_flex_100h_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_100hp_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200h_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200hp_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500h_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_700h_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:usg_flex_100h_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_100hp_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200h_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200hp_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500h_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_700h_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "usg_flex_700h_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThanOrEqual": "1.21",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9677",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-22T14:29:58.494312Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-22T15:52:56.281Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series uOS firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= V1.21"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions\u0026nbsp;could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out."
                }
              ],
              "value": "The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions\u00a0could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-22T01:19:53.188Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2024-9677",
        "datePublished": "2024-10-22T01:19:53.188Z",
        "dateReserved": "2024-10-09T05:14:46.238Z",
        "dateUpdated": "2024-10-22T15:52:56.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6399 (GCVE-0-2023-6399)

    Vulnerability from nvd – Published: 2024-02-20 01:42 – Updated: 2024-08-02 08:28
    VLAI
    Summary
    A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the “deviceid” daemon by sending a crafted hostname to an affected device if it has the “Device Insight” feature enabled.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-134 - Use of Externally-Controlled Format String
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zyxel ATP series firmware Affected: version 4.32 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX series firmware Affected: version 4.50 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX 50(W) series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG20(W)-VPN series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX H series firmware Affected: version 1.10 through 1.10 Patch 1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6399",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-20T15:30:36.983773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:21:43.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.797Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ATP series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.32 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.50 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": " USG FLEX 50(W) series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG20(W)-VPN series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 1.10 through 1.10 Patch 1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and\u0026nbsp;USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the \u201cdeviceid\u201d daemon by sending a crafted hostname to an affected device if it has the \u201cDevice Insight\u201d feature enabled."
                }
              ],
              "value": "A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and\u00a0USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the \u201cdeviceid\u201d daemon by sending a crafted hostname to an affected device if it has the \u201cDevice Insight\u201d feature enabled."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-134",
                  "description": "CWE-134 Use of Externally-Controlled Format String",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-21T09:20:18.921Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2023-6399",
        "datePublished": "2024-02-20T01:42:21.027Z",
        "dateReserved": "2023-11-30T07:58:19.503Z",
        "dateUpdated": "2024-08-02T08:28:21.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6398 (GCVE-0-2023-6398)

    Vulnerability from nvd – Published: 2024-02-20 01:34 – Updated: 2024-08-25 15:46
    VLAI
    Summary
    A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1, NWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zyxel ATP series firmware Affected: version 4.32 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX series firmware Affected: version 4.50 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX 50(W) series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG20(W)-VPN series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel NWA50AX firmware Affected: < 6.29(ABYW.4)
    Create a notification for this product.
    Zyxel WAC500 firmware Affected: < 6.70(ABVS.1)
    Create a notification for this product.
    Zyxel WAX300H firmware Affected: < 6.70(ACHF.1)
    Create a notification for this product.
    Zyxel WBE660S firmware Affected: < 6.70(ACGG.1)
    Create a notification for this product.
    Zyxel USG FLEX H series firmware Affected: version 1.10 through 1.10 Patch 1
    Create a notification for this product.
    zyxel atp800_firmware Affected: 4.32 , ≤ 5.37_patch1 (custom)
        cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel usg_flex_700_firmware Affected: 4.50 , < 5.37_patch1 (custom)
        cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500w_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel nwa50ax_firmware Affected: 0 , < 6.29\(abyw.4\) (custom)
        cpe:2.3:o:zyxel:nwa50ax_firmware:-:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel wac500_firmware Affected: 0 , < 6.70\(abvs.1\) (custom)
        cpe:2.3:o:zyxel:wac500_firmware:-:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel wax300h_firmware Affected: 0 , < 6.70\(achf.1\) (custom)
        cpe:2.3:o:zyxel:wax300h_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel wbe660s_firmware Affected: 0 , < 6.70\(acgg.1\) (custom)
        cpe:2.3:o:zyxel:wbe660s_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel usg_20w-vpn_firmware Affected: 4.16 , ≤ 5.37_patch1 (custom)
        cpe:2.3:o:zyxel:usg_20w-vpn_firmware:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.823Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "atp800_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThanOrEqual": "5.37_patch1",
                    "status": "affected",
                    "version": "4.32",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500w_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "usg_flex_700_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "5.37_patch1",
                    "status": "affected",
                    "version": "4.50",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:nwa50ax_firmware:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "nwa50ax_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.29\\(abyw.4\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:wac500_firmware:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wac500_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.70\\(abvs.1\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:wax300h_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wax300h_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.70\\(achf.1\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:wbe660s_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wbe660s_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.70\\(acgg.1\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "usg_20w-vpn_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThanOrEqual": "5.37_patch1",
                    "status": "affected",
                    "version": "4.16",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6398",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-01T05:01:04.429989Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-25T15:46:49.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ATP series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.32 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.50 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX 50(W) series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": " version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG20(W)-VPN series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": " NWA50AX firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.29(ABYW.4)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": " WAC500 firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.70(ABVS.1)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WAX300H firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.70(ACHF.1)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WBE660S firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.70(ACGG.1)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 1.10 through 1.10 Patch 1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, \n\nUSG FLEX H series firmware versions from 1.10 through 1.10 Patch 1,\n\nNWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP."
                }
              ],
              "value": "A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, \n\nUSG FLEX H series firmware versions from 1.10 through 1.10 Patch 1,\n\nNWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-21T09:17:30.230Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2023-6398",
        "datePublished": "2024-02-20T01:34:32.229Z",
        "dateReserved": "2023-11-30T07:58:16.356Z",
        "dateUpdated": "2024-08-25T15:46:49.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1732 (GCVE-0-2025-1732)

    Vulnerability from cvelistv5 – Published: 2025-04-22 01:57 – Updated: 2026-02-26 18:28
    VLAI
    Summary
    An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1732",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T03:56:06.880791Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:08.391Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series uOS firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= V1.31"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device."
                }
              ],
              "value": "An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 6.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T07:05:39.793Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2025-1732",
        "datePublished": "2025-04-22T01:57:35.395Z",
        "dateReserved": "2025-02-27T03:13:45.776Z",
        "dateUpdated": "2026-02-26T18:28:08.391Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1731 (GCVE-0-2025-1731)

    Vulnerability from cvelistv5 – Published: 2025-04-22 01:52 – Updated: 2026-02-26 18:28
    VLAI
    Summary
    An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Zyxel USG FLEX H series uOS firmware Affected: from V1.20 through V1.31
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1731",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-02T03:55:18.303921Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T18:28:09.056Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-04-24T06:04:04.291Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://seclists.org/fulldisclosure/2025/Apr/27"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series uOS firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "from V1.20 through V1.31"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid."
                }
              ],
              "value": "An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-12T07:06:19.271Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-incorrect-permission-assignment-and-improper-privilege-management-vulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2025-1731",
        "datePublished": "2025-04-22T01:52:04.064Z",
        "dateReserved": "2025-02-27T03:13:40.559Z",
        "dateUpdated": "2026-02-26T18:28:09.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-9677 (GCVE-0-2024-9677)

    Vulnerability from cvelistv5 – Published: 2024-10-22 01:19 – Updated: 2024-10-22 15:52
    VLAI
    Summary
    The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zyxel USG FLEX H series uOS firmware Affected: <= V1.21
    Create a notification for this product.
    zyxel usg_flex_700h_firmware Affected: 0 , ≤ 1.21 (custom)
        cpe:2.3:o:zyxel:usg_flex_100h_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_100hp_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200h_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200hp_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500h_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_700h_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:usg_flex_100h_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_100hp_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200h_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200hp_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500h_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_700h_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "usg_flex_700h_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThanOrEqual": "1.21",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9677",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-22T14:29:58.494312Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-22T15:52:56.281Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series uOS firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c= V1.21"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions\u0026nbsp;could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out."
                }
              ],
              "value": "The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions\u00a0could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522 Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-22T01:19:53.188Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2024-9677",
        "datePublished": "2024-10-22T01:19:53.188Z",
        "dateReserved": "2024-10-09T05:14:46.238Z",
        "dateUpdated": "2024-10-22T15:52:56.281Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6399 (GCVE-0-2023-6399)

    Vulnerability from cvelistv5 – Published: 2024-02-20 01:42 – Updated: 2024-08-02 08:28
    VLAI
    Summary
    A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the “deviceid” daemon by sending a crafted hostname to an affected device if it has the “Device Insight” feature enabled.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-134 - Use of Externally-Controlled Format String
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zyxel ATP series firmware Affected: version 4.32 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX series firmware Affected: version 4.50 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX 50(W) series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG20(W)-VPN series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX H series firmware Affected: version 1.10 through 1.10 Patch 1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6399",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-20T15:30:36.983773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-05T17:21:43.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.797Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ATP series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.32 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.50 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": " USG FLEX 50(W) series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG20(W)-VPN series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 1.10 through 1.10 Patch 1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and\u0026nbsp;USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the \u201cdeviceid\u201d daemon by sending a crafted hostname to an affected device if it has the \u201cDevice Insight\u201d feature enabled."
                }
              ],
              "value": "A format string vulnerability in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, and\u00a0USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1 could allow an authenticated IPSec VPN user to cause DoS conditions against the \u201cdeviceid\u201d daemon by sending a crafted hostname to an affected device if it has the \u201cDevice Insight\u201d feature enabled."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-134",
                  "description": "CWE-134 Use of Externally-Controlled Format String",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-21T09:20:18.921Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2023-6399",
        "datePublished": "2024-02-20T01:42:21.027Z",
        "dateReserved": "2023-11-30T07:58:19.503Z",
        "dateUpdated": "2024-08-02T08:28:21.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6398 (GCVE-0-2023-6398)

    Vulnerability from cvelistv5 – Published: 2024-02-20 01:34 – Updated: 2024-08-25 15:46
    VLAI
    Summary
    A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, USG FLEX H series firmware versions from 1.10 through 1.10 Patch 1, NWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Zyxel ATP series firmware Affected: version 4.32 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX series firmware Affected: version 4.50 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG FLEX 50(W) series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel USG20(W)-VPN series firmware Affected: version 4.16 through 5.37 Patch 1
    Create a notification for this product.
    Zyxel NWA50AX firmware Affected: < 6.29(ABYW.4)
    Create a notification for this product.
    Zyxel WAC500 firmware Affected: < 6.70(ABVS.1)
    Create a notification for this product.
    Zyxel WAX300H firmware Affected: < 6.70(ACHF.1)
    Create a notification for this product.
    Zyxel WBE660S firmware Affected: < 6.70(ACGG.1)
    Create a notification for this product.
    Zyxel USG FLEX H series firmware Affected: version 1.10 through 1.10 Patch 1
    Create a notification for this product.
    zyxel atp800_firmware Affected: 4.32 , ≤ 5.37_patch1 (custom)
        cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel usg_flex_700_firmware Affected: 4.50 , < 5.37_patch1 (custom)
        cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_500w_firmware:*:*:*:*:*:*:*:*
        cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel nwa50ax_firmware Affected: 0 , < 6.29\(abyw.4\) (custom)
        cpe:2.3:o:zyxel:nwa50ax_firmware:-:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel wac500_firmware Affected: 0 , < 6.70\(abvs.1\) (custom)
        cpe:2.3:o:zyxel:wac500_firmware:-:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel wax300h_firmware Affected: 0 , < 6.70\(achf.1\) (custom)
        cpe:2.3:o:zyxel:wax300h_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel wbe660s_firmware Affected: 0 , < 6.70\(acgg.1\) (custom)
        cpe:2.3:o:zyxel:wbe660s_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    zyxel usg_20w-vpn_firmware Affected: 4.16 , ≤ 5.37_patch1 (custom)
        cpe:2.3:o:zyxel:usg_20w-vpn_firmware:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:28:21.823Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "atp800_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThanOrEqual": "5.37_patch1",
                    "status": "affected",
                    "version": "4.32",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_500w_firmware:*:*:*:*:*:*:*:*",
                  "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "usg_flex_700_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "5.37_patch1",
                    "status": "affected",
                    "version": "4.50",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:nwa50ax_firmware:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "nwa50ax_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.29\\(abyw.4\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:wac500_firmware:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wac500_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.70\\(abvs.1\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:wax300h_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wax300h_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.70\\(achf.1\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:wbe660s_firmware:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "wbe660s_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThan": "6.70\\(acgg.1\\)",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "usg_20w-vpn_firmware",
                "vendor": "zyxel",
                "versions": [
                  {
                    "lessThanOrEqual": "5.37_patch1",
                    "status": "affected",
                    "version": "4.16",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6398",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-01T05:01:04.429989Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-25T15:46:49.897Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ATP series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.32 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.50 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX 50(W) series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": " version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG20(W)-VPN series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 4.16 through 5.37 Patch 1"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": " NWA50AX firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.29(ABYW.4)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": " WAC500 firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.70(ABVS.1)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WAX300H firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.70(ACHF.1)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "WBE660S firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 6.70(ACGG.1)"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "USG FLEX H series firmware",
              "vendor": "Zyxel",
              "versions": [
                {
                  "status": "affected",
                  "version": "version 1.10 through 1.10 Patch 1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, \n\nUSG FLEX H series firmware versions from 1.10 through 1.10 Patch 1,\n\nNWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP."
                }
              ],
              "value": "A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 through 5.37 Patch 1, USG FLEX series firmware versions from 4.50 through 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 through 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 through 5.37 Patch 1, \n\nUSG FLEX H series firmware versions from 1.10 through 1.10 Patch 1,\n\nNWA50AX firmware versions through 6.29(ABYW.3), WAC500 firmware versions through 6.65(ABVS.1), WAX300H firmware versions through 6.60(ACHF.1), and WBE660S firmware versions through 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-21T09:17:30.230Z",
            "orgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
            "shortName": "Zyxel"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "96e50032-ad0d-4058-a115-4d2c13821f9f",
        "assignerShortName": "Zyxel",
        "cveId": "CVE-2023-6398",
        "datePublished": "2024-02-20T01:34:32.229Z",
        "dateReserved": "2023-11-30T07:58:16.356Z",
        "dateUpdated": "2024-08-25T15:46:49.897Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }