Zyxel has addressed two critical buffer overflow vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, that affect several of its firewall and VPN products.
A remote, unauthenticated attacker can trigger the flaws to cause a denial-of-service condition and remote code execution on vulnerable devices.
Below are the description for both issues provided by the vendor in a security advisory:
CVE-2023-33009 with a CVSS Score of 9.8 is a buffer overflow vulnerability in the notification function in some firewall versions that could allow an unauthenticated attacker to cause denial-of-service conditions and even a remote code execution on an affected device.
CVE-2023-33010 with a CVSS score of 9.8 is also a buffer overflow vulnerability in the ID processing function in some firewall versions could allow an unauthenticated attacker to cause Denial of Service conditions and even a remote code execution on an affected device
It is recommended to install security updates provided to address the issues.