CVE-2023-35136

Description

An improper input validation vulnerability in the “Quagga” package of the Zyxel ATP series firmware versions 4.32 through 5.37, USG FLEX series firmware versions 4.50 through 5.37, USG FLEX 50(W) series firmware versions 4.16 through 5.37, USG20(W)-VPN series firmware versions 4.16 through 5.37, and VPN series firmware versions 4.30 through 5.37, could allow an authenticated local attacker to access configuration files on an affected device.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

Zyxel / ATP series firmwareversions 4.32 through 5.37 – versions 4.32 through 5.37
Zyxel / USG20(W)-VPN series firmwareversions 4.16 through 5.37 – versions 4.16 through 5.37
Zyxel / USG FLEX 50(W) series firmwareversions 4.16 through 5.37 – versions 4.16 through 5.37
Zyxel / USG FLEX series firmwareversions 4.50 through 5.37 – versions 4.50 through 5.37
Zyxel / VPN series firmwareversions 4.30 through 5.37 – versions 4.30 through 5.37

References

VENDOR_ADVISORYhttps://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps