Tracked as CVE-2023-28771 (CVSS score of 9.8), the security defect can be exploited remotely to execute OS commands.
“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel explains in its advisory.
The bug impacts ATP, USG FLEX, and VPN firmware versions 4.60 to 5.35, and ZyWALL/USG firmware versions 4.60 to 4.73. Fixes were included in ATP, USG FLEX, and VPN firmware releases 5.36 and ZyWALL/USG firmware version 4.73 Patch 1.
Users are advised to update their firewalls as soon as possible. While the vulnerability does not appear to be exploited in malicious attacks, unpatched Zyxel appliances are known to be targeted by malicious actors.
