module
Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution
| Disclosed |
|---|
| Mar 31, 2023 |
Disclosed
Mar 31, 2023
Description
This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange
(IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are
as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),
VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The
affected devices are vulnerable in a default configuration and command execution is with root privileges.
(IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are
as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),
VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The
affected devices are vulnerable in a default configuration and command execution is with root privileges.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.