CVE-2023-22915
📋 TL;DR
A buffer overflow vulnerability in the fbwifi_forward.cgi CGI program of affected Zyxel devices allows remote unauthenticated attackers to cause denial-of-service conditions by sending crafted HTTP requests. This affects Zyxel USG FLEX, USG FLEX 50(W), USG20(W)-VPN, and VPN series devices with Facebook WiFi enabled. The vulnerability requires the Facebook WiFi function to be active on the device.
💻 Affected Systems
- Zyxel USG FLEX series
- Zyxel USG FLEX 50(W)
- Zyxel USG20(W)-VPN
- Zyxel VPN series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker could cause complete device crash or reboot, leading to extended network downtime and potential loss of firewall protection.
Likely Case
Remote attacker causes temporary denial-of-service by crashing the affected service or device, disrupting network connectivity until manual intervention.
If Mitigated
If Facebook WiFi is disabled, the vulnerability cannot be exploited and there is no impact.
🎯 Exploit Status
Exploitation requires sending a crafted HTTP request to the vulnerable CGI endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.35
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps
Restart Required: Yes
Instructions:
1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface or CLI. 4. Reboot device after installation.
🔧 Temporary Workarounds
Disable Facebook WiFi
allDisable the Facebook WiFi function to eliminate the attack vector
Web Interface: Configuration > Object > Service > Facebook WiFi > Disable
CLI: configure terminal > service facebook-wifi disable > commit
Network Access Control
allRestrict access to the vulnerable CGI endpoint using firewall rules
Web Interface: Configuration > Security Policy > Add rule to block access to /cgi-bin/fbwifi_forward.cgi
CLI: configure terminal > security-policy from untrust to trust source any destination any service http url /cgi-bin/fbwifi_forward.cgi action deny > commit
🧯 If You Can't Patch
- Disable Facebook WiFi function immediately
- Implement network segmentation to isolate affected devices from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (Maintenance > System > Firmware Version) or CLI (show version). Verify if Facebook WiFi is enabled (Configuration > Object > Service > Facebook WiFi).Check Version:
show versionVerify Fix Applied:
After patching, confirm firmware version is above 5.35. Verify Facebook WiFi status remains as configured.📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP requests to /cgi-bin/fbwifi_forward.cgi with unusual payloads
- Device crash or reboot logs
- Facebook WiFi service failure logs
Network Indicators:
- HTTP traffic to /cgi-bin/fbwifi_forward.cgi with abnormal request patterns
- Sudden loss of connectivity to affected device
SIEM Query:
source="zyxel-firewall" AND (url="/cgi-bin/fbwifi_forward.cgi" OR event_type="crash" OR service="facebook-wifi")