CVE-2023-34141

Q: What is the severity of CVE-2023-34141?

CVE-2023-34141 has a CVSS score of 8.0 (HIGH). This CVE describes a command injection vulnerability in Zyxel firewall and WLAN controller products that allows LAN-based attackers to execute arbitrary OS commands. Attackers must first trick an authorized administrator into adding their IP address to the managed AP list, then exploit the vulnerability. Affected devices include Zyxel ATP series, USG FLEX series, VPN series, and NXC series with specific firmware versions.

8.0 HIGH

Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Zyxel firewall and WLAN controller products that allows LAN-based attackers to execute arbitrary OS commands. Attackers must first trick an authorized administrator into adding their IP address to the managed AP list, then exploit the vulnerability. Affected devices include Zyxel ATP series, USG FLEX series, VPN series, and NXC series with specific firmware versions.

💻 Affected Systems

Products:

Zyxel ATP series
USG FLEX series
USG FLEX 50(W) series
USG20(W)-VPN series
VPN series
NXC2500
NXC5500

Versions: ATP/USG/VPN series: 5.00 through 5.36 Patch 2; NXC2500: 6.10(AAIG.0) through 6.10(AAIG.3); NXC5500: 6.10(AAOS.0) through 6.10(AAOS.4)

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires AP management feature to be enabled and attacker IP added to managed AP list by administrator.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, pivot to internal networks, exfiltrate sensitive data, or disrupt network operations.

🟠

Likely Case

Attacker gains shell access to execute limited commands, potentially enabling reconnaissance, credential harvesting, or lateral movement within the network.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to isolated network segments with minimal critical assets.

🌐 Internet-Facing: LOW - Exploitation requires LAN-based access and administrator interaction, making direct internet exploitation unlikely.

🏢 Internal Only: HIGH - Attackers with internal network access can exploit this if they can social engineer an administrator, posing significant internal threat.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires social engineering to get IP added to AP list, then command injection via crafted requests. No public exploit code available as of knowledge cutoff.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ATP/USG/VPN series: 5.37 or later; NXC2500: 6.10(AAIG.4) or later; NXC5500: 6.10(AAOS.5) or later

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload firmware via web interface or CLI. 4. Apply firmware update. 5. Reboot device. 6. Verify firmware version post-update.

🔧 Temporary Workarounds

Disable AP Management Feature

all

If AP management is not required, disable the feature to remove attack surface.

Navigate to Configuration > Network > AP Management > Disable

Restrict AP Management Access

all

Limit which IP addresses can be added to managed AP list using firewall rules.

Add firewall rule to only allow trusted management IPs to access AP management interface

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from critical assets
Enable detailed logging and monitoring for AP management activities and suspicious command execution

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Status) or CLI (show version). Compare against affected versions list.

Check Version:

show version (CLI) or check System > Status in web interface

Verify Fix Applied:

Confirm firmware version is 5.37+ for ATP/USG/VPN series, 6.10(AAIG.4)+ for NXC2500, or 6.10(AAOS.5)+ for NXC5500.

📡 Detection & Monitoring

Log Indicators:

Unusual AP management configuration changes
Suspicious command execution in system logs
Multiple failed AP management authentication attempts

Network Indicators:

Unexpected outbound connections from firewall/WLAN controller
Anomalous traffic patterns from management interface

SIEM Query:

source="zyxel-firewall" AND (event_type="config_change" AND config_item="ap_management") OR (event_type="command_execution" AND user="unknown")

📊 Metadata

CVE ID: CVE-2023-34141

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 17, 2023

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nxc2500 Firmware by Zyxel

Nxc5500 Firmware by Zyxel

Usg 20w Vpn Firmware by Zyxel

Usg 2200 Vpn Firmware by Zyxel

Usg Flex 100 Firmware by Zyxel

Usg Flex 100w Firmware by Zyxel

Usg Flex 200 Firmware by Zyxel

Usg Flex 50 Firmware by Zyxel

Usg Flex 500 Firmware by Zyxel

Usg Flex 50w Firmware by Zyxel

Usg Flex 700 Firmware by Zyxel

Zywall Atp100 Firmware by Zyxel

Zywall Atp100w Firmware by Zyxel

Zywall Atp200 Firmware by Zyxel

Zywall Atp500 Firmware by Zyxel

Zywall Atp700 Firmware by Zyxel

Zywall Atp800 Firmware by Zyxel

Zywall Vpn 100 Firmware by Zyxel

Zywall Vpn 300 Firmware by Zyxel

Zywall Vpn 50 Firmware by Zyxel

Zywall Vpn100 Firmware by Zyxel

Zywall Vpn2s Firmware by Zyxel

Zywall Vpn300 Firmware by Zyxel

Zywall Vpn50 Firmware by Zyxel