Login Sign Up

CVE-2023-22917

7.5 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in Zyxel network devices allows remote unauthenticated attackers to cause denial of service by uploading a crafted configuration file. This affects multiple Zyxel firewall and VPN product lines running vulnerable firmware versions. Attackers can trigger core dumps and potentially crash affected devices.

💻 Affected Systems

Products:
  • Zyxel ATP series
  • USG FLEX series
  • USG FLEX 50(W)
  • USG20(W)-VPN
  • VPN series
Versions: ATP: 5.10-5.32, USG FLEX: 5.00-5.32, USG FLEX 50(W): 5.10-5.32, USG20(W)-VPN: 5.10-5.32, VPN: 5.00-5.35
Operating Systems: Zyxel firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in sdwan_iface_ipc binary across multiple product lines. Requires configuration file upload capability.

📦 What is this software?

Atp100 Firmware by Zyxel

View all CVEs affecting Atp100 Firmware →

Atp100w Firmware by Zyxel

View all CVEs affecting Atp100w Firmware →

Atp200 Firmware by Zyxel

View all CVEs affecting Atp200 Firmware →

Atp500 Firmware by Zyxel

View all CVEs affecting Atp500 Firmware →

Atp700 Firmware by Zyxel

View all CVEs affecting Atp700 Firmware →

Atp800 Firmware by Zyxel

View all CVEs affecting Atp800 Firmware →

Usg 20w Vpn Firmware by Zyxel

View all CVEs affecting Usg 20w Vpn Firmware →

Usg Flex 100 Firmware by Zyxel

View all CVEs affecting Usg Flex 100 Firmware →

Usg Flex 100w Firmware by Zyxel

View all CVEs affecting Usg Flex 100w Firmware →

Usg Flex 200 Firmware by Zyxel

View all CVEs affecting Usg Flex 200 Firmware →

Usg Flex 50 Firmware by Zyxel

View all CVEs affecting Usg Flex 50 Firmware →

Usg Flex 500 Firmware by Zyxel

View all CVEs affecting Usg Flex 500 Firmware →

Usg Flex 50w Firmware by Zyxel

View all CVEs affecting Usg Flex 50w Firmware →

Usg Flex 700 Firmware by Zyxel

View all CVEs affecting Usg Flex 700 Firmware →

Vpn100 Firmware by Zyxel

View all CVEs affecting Vpn100 Firmware →

Vpn1000 Firmware by Zyxel

View all CVEs affecting Vpn1000 Firmware →

Vpn300 Firmware by Zyxel

View all CVEs affecting Vpn300 Firmware →

Vpn50 Firmware by Zyxel

View all CVEs affecting Vpn50 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, though the advisory only confirms denial of service via core dump.

🟠

Likely Case

Denial of service through device crash or instability, disrupting network connectivity.

🟢

If Mitigated

Minimal impact if devices are patched or isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible from internet-facing interfaces.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to management interfaces.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Remote unauthenticated exploitation via file upload.

Advisory confirms remote unauthenticated exploitation possible. No public exploit code identified at time of advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to firmware versions beyond affected ranges: ATP 5.33+, USG FLEX 5.33+, USG FLEX 50(W) 5.33+, USG20(W)-VPN 5.33+, VPN 5.36+

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-of-firewalls-and-aps

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload firmware via web interface or CLI. 4. Reboot device after installation.

🔧 Temporary Workarounds

Restrict configuration upload access

all

Limit access to configuration upload functionality to trusted networks only.

Network segmentation

all

Isolate management interfaces from untrusted networks using firewall rules.

🧯 If You Can't Patch

  • Disable remote configuration upload functionality if not required
  • Implement strict network access controls to management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Maintenance > Firmware) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version is beyond affected ranges: ATP ≥5.33, USG FLEX ≥5.33, USG FLEX 50(W) ≥5.33, USG20(W)-VPN ≥5.33, VPN ≥5.36

📡 Detection & Monitoring

Log Indicators:

  • Core dump messages
  • Unexpected process crashes
  • Failed configuration upload attempts

Network Indicators:

  • Unusual configuration file uploads to management interfaces
  • Traffic spikes to sdwan_iface_ipc service

SIEM Query:

source="zyxel-firewall" AND (event="core_dump" OR event="process_crash" OR message="*sdwan_iface_ipc*")

📊 Metadata

CVE ID: CVE-2023-22917
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-120
Published: April 24, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-22917, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)