CVE-2023-22914 — HIGH (7.2)

Q: How severe is CVE-2023-22914?

CVE-2023-22914 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-22914?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Usg Flex 100 Firmware, Zyxel Usg Flex 100, Zyxel Usg Flex 100W Firmware, Zyxel Usg Flex 100W, Zyxel Usg Flex 200 Firmware.

Vulnerability Description

A path traversal vulnerability in the “account_print.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker with administrator privileges to execute unauthorized OS commands in the “tmp” directory by uploading a crafted file if the hotspot function were enabled.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Zyxel	Usg Flex 100 Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 100	-
Zyxel	Usg Flex 100W Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 100W	-
Zyxel	Usg Flex 200 Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 200	-
Zyxel	Usg Flex 50 Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 50	-
Zyxel	Usg Flex 50W Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 50W	-
Zyxel	Usg Flex 500 Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 500	-
Zyxel	Usg Flex 700 Firmware	>= 4.50, <= 5.35
Zyxel	Usg Flex 700	-
Zyxel	Vpn100 Firmware	>= 4.50, <= 5.35
Zyxel	Vpn100	-
Zyxel	Vpn1000 Firmware	>= 4.50, <= 5.35
Zyxel	Vpn1000	-
Zyxel	Vpn300 Firmware	>= 4.50, <= 5.35
Zyxel	Vpn300	-

Related Weaknesses (CWE)

CWE-22

References

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisVendor Advisory
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisVendor Advisory

FAQ

What is CVE-2023-22914?

CVE-2023-22914 is a vulnerability with a CVSS score of 7.2 (HIGH). A path traversal vulnerability in the “account_print.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allo...

How severe is CVE-2023-22914?

CVE-2023-22914 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22914?

Check the references section above for vendor advisories and patch information. Affected products include: Zyxel Usg Flex 100 Firmware, Zyxel Usg Flex 100, Zyxel Usg Flex 100W Firmware, Zyxel Usg Flex 100W, Zyxel Usg Flex 200 Firmware.