CVE-2023-33009 and CVE-2023-33010: Multiple Critical Unauthenticated RCE Vulnerabilities in Zyxel Firewalls

Share :

On Wednesday, the 24th of May, 2023, Zyxel released a security advisory for several vulnerabilities capable of granting unauthenticated remote code execution (RCE) in their line of Firewall and VPN products, tracked as CVE-2023-33009 and CVE-2023-33010. These buffer overflow vulnerabilities are also capable of inducing denial of service conditions. 

Several threat actors, such as the group operating the Mirai botnet, have exploited other vulnerabilities similar to this one in Zyxel products; this includes CVE-2023-28771, a vulnerability in Zyxel ZyWALL/USG appliances that was used for remote code execution. Additionally, CISA’s Known Exploited Vulnerabilities Catalog includes 3 known vulnerabilities in Zyxel products at this time (CVE-2022-30525, CVE-2020-9054, CVE-2020-29583). 

While a public proof-of-concept (POC) exploit is not yet available for these vulnerabilities, Arctic Wolf Labs assesses that this vulnerability presents a high risk of future exploitation by threat actors, and strongly recommends that customers identify if they are running any devices affected by these vulnerabilities in the table listed below. Any affected organisations should apply applicable patches as part of their regular patching schedule. 

Impacted Products 

Affected model  Affected firmware version            Patch availability           
ATP  ZLD V4.32 to V5.36 Patch 1  ZLD V5.36 Patch 2 
USG FLEX  ZLD V4.50 to V5.36 Patch 1  ZLD V5.36 Patch 2 
USG FLEX50(W) / USG20(W)-VPN  ZLD V4.25 to V5.36 Patch 1  ZLD V5.36 Patch 2 
VPN  ZLD V4.30 to V5.36 Patch 1  ZLD V5.36 Patch 2 
ZyWALL/USG  ZLD V4.25 to V4.73 Patch 1  ZLD V4.73 Patch 2 

Recommendations for CVE-2023-33009 and CVE-2023-33010

Recommendation #1: Apply the necessary patches for Zyxel products within your organisation 

If you have Zyxel devices in your environment, we recommend that you review the table of affected devices listed above and apply patches where necessary. Zyxel provides instructions on how to update to the latest firmware versions at the following page:  

Recommendation #2: Limit access to web-based administration from the WAN interface 

As a security best practice, Zyxel has previously recommended limiting access to web services on the WAN interface of these appliances. 

While it is not known if this recommendation would mitigate this specific vulnerability, any practice limiting the attack surface is worthy of consideration. 

For more details, see the guidance provided on this article: 


Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents