CVE-2023-22918

Summary

A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device.

Affected Software

VendorProductVersion RangeStatus
ZyxelATP series firmware4.32 through 5.35affected
ZyxelUSG FLEX series firmware4.50 through 5.35affected
ZyxelUSG FLEX 50(W) firmware4.16 through 5.35affected
ZyxelUSG20(W)-VPN firmware4.16 through 5.35affected
ZyxelVPN series firmware4.30 through 5.35affected
ZyxelNWA110AX firmware<= 6.50(ABTG.2)affected
ZyxelWAC500 firmware<= 6.50(ABVS.0)affected
ZyxelWAX510D firmware<= 6.50(ABTF.2)affected

Weaknesses

  • CWE-359: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References