CVE-2023-6398
📋 TL;DR
This CVE describes a post-authentication command injection vulnerability in Zyxel firewall and access point firmware. An authenticated attacker with administrator privileges can execute OS commands on affected devices via FTP file upload functionality. This affects multiple Zyxel ATP, USG FLEX, USG20(W)-VPN, NWA50AX, WAC500, WAX300H, and WBE660S series devices.
💻 Affected Systems
- Zyxel ATP series
- USG FLEX series
- USG FLEX 50(W) series
- USG20(W)-VPN series
- USG FLEX H series
- NWA50AX
- WAC500
- WAX300H
- WBE660S
📦 What is this software?
Uos by Zyxel
Uos by Zyxel
⚠️ Risk & Real-World Impact
Worst Case
Full device compromise allowing attacker to install persistent backdoors, pivot to internal networks, exfiltrate sensitive data, or disrupt network operations.
Likely Case
Attacker gains shell access to device, can modify configurations, create backdoor accounts, or use device as pivot point for lateral movement.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect anomalous FTP activity.
🎯 Exploit Status
Exploitation requires valid admin credentials and FTP access. Command injection via file upload suggests straightforward exploitation once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions per product line
Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-aps-02-20-2024
Restart Required: Yes
Instructions:
1. Identify affected devices and current firmware versions. 2. Download appropriate patched firmware from Zyxel support portal. 3. Backup current configuration. 4. Apply firmware update via web interface or CLI. 5. Verify successful update and restore configuration if needed.
🔧 Temporary Workarounds
Disable FTP service
allDisable FTP file upload functionality if not required for operations
Restrict admin access
allLimit administrative access to trusted IP addresses and implement strong authentication
🧯 If You Can't Patch
- Implement network segmentation to isolate affected devices from critical assets
- Enable detailed logging for FTP and administrative activities and monitor for anomalies
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against affected ranges in vendor advisoryCheck Version:
Check via web interface: System > Maintenance > Firmware or via CLI: show versionVerify Fix Applied:
Verify firmware version is updated to patched version specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unusual FTP file upload activities
- Multiple failed authentication attempts followed by successful admin login
- Commands executed via FTP upload process
Network Indicators:
- Unexpected outbound connections from firewall/AP devices
- FTP traffic to/from administrative interfaces
SIEM Query:
source="zyxel_firewall" AND (event="ftp_upload" OR event="command_execution")