CVE-2023-33010 Overview
A buffer overflow vulnerability exists in the ID processing function of multiple Zyxel firewall product lines. This vulnerability affects a wide range of Zyxel security appliances including ATP series, USG FLEX series, VPN series, and ZyWALL/USG series devices running vulnerable firmware versions. The flaw allows an unauthenticated remote attacker to cause denial-of-service (DoS) conditions and potentially achieve remote code execution on affected devices.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Organizations using affected Zyxel firewalls should prioritize immediate patching as attackers can compromise network perimeter security without authentication.
Affected Products
- Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1 (ATP100, ATP200, ATP500, ATP700, ATP800)
- Zyxel USG FLEX series firmware versions 4.50 through 5.36 Patch 1 (USG FLEX 50/100/200/500/700)
- Zyxel USG FLEX 50(W) and USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1
- Zyxel VPN series firmware versions 4.30 through 5.36 Patch 1 (VPN50, VPN100, VPN300, VPN1000)
- Zyxel ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1 (USG 40/40W/60/60W)
Discovery Timeline
- May 24, 2023 - CVE-2023-33010 published to NVD
- October 27, 2025 - Last updated in NVD database
Technical Details for CVE-2023-33010
Vulnerability Analysis
This buffer overflow vulnerability (CWE-120: Buffer Copy without Checking Size of Input) resides in the ID processing function of Zyxel firewall firmware. The vulnerability occurs when the affected devices process specially crafted network requests containing oversized ID values. Because the firmware fails to properly validate the size of input data before copying it to a fixed-size buffer, an attacker can overflow the buffer and overwrite adjacent memory regions.
The network-accessible nature of these firewall devices significantly amplifies the risk, as they are designed to be internet-facing perimeter security appliances. Successful exploitation requires no authentication or user interaction, making this vulnerability particularly dangerous for organizations with exposed Zyxel firewalls.
Root Cause
The root cause of CVE-2023-33010 is improper bounds checking in the ID processing function. When handling incoming requests, the firmware copies user-supplied data into a fixed-size buffer without verifying that the input data length does not exceed the buffer's capacity. This classic buffer overflow condition allows attackers to write beyond the intended memory boundaries, corrupting adjacent memory structures and potentially gaining control of program execution flow.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication. An attacker can exploit this vulnerability by:
- Identifying an exposed Zyxel firewall running vulnerable firmware
- Sending specially crafted network packets containing oversized ID values to the target device
- Triggering the buffer overflow in the ID processing function
- Achieving denial-of-service through device crash or, in more sophisticated attacks, gaining remote code execution
The exploitation does not require any privileges or user interaction. Given that Zyxel firewalls are perimeter security devices typically exposed to the internet, the attack surface is significant. Attackers can scan for vulnerable devices and exploit them directly over the network.
Detection Methods for CVE-2023-33010
Indicators of Compromise
- Unexpected device reboots or crashes on Zyxel firewall appliances
- Anomalous network traffic patterns targeting firewall management interfaces
- Evidence of unauthorized configuration changes on firewall devices
- Unusual outbound connections from the firewall to unknown IP addresses
Detection Strategies
- Monitor network traffic for malformed packets or oversized ID values targeting Zyxel firewall services
- Implement intrusion detection signatures specific to CVE-2023-33010 exploitation attempts
- Enable comprehensive logging on Zyxel devices and forward logs to a SIEM for correlation analysis
- Conduct regular firmware version audits to identify devices running vulnerable versions
Monitoring Recommendations
- Continuously monitor firewall device health metrics including CPU utilization, memory usage, and unexpected process terminations
- Implement network behavior analysis to detect exploitation attempts against perimeter devices
- Set up alerts for authentication failures and unauthorized access attempts on management interfaces
- Review CISA KEV catalog regularly and cross-reference with deployed device inventory
How to Mitigate CVE-2023-33010
Immediate Actions Required
- Identify all Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG series devices in your environment
- Verify current firmware versions against the affected version ranges specified in the advisory
- Apply the latest firmware patches from Zyxel immediately for all vulnerable devices
- Restrict management interface access to trusted networks only until patching is complete
Patch Information
Zyxel has released security patches to address this vulnerability. Organizations should upgrade to firmware versions released after 5.36 Patch 1 for ATP, USG FLEX, and VPN series devices, and versions after 4.73 Patch 1 for ZyWALL/USG series devices. Refer to the Zyxel Security Advisory for specific patch versions and download links. Given this vulnerability's inclusion in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and critical infrastructure organizations should treat patching as an urgent priority.
Workarounds
- Disable or restrict access to management interfaces from untrusted networks as a temporary measure
- Implement network segmentation to limit exposure of vulnerable firewall devices
- Deploy web application firewalls or intrusion prevention systems in front of Zyxel devices to filter malicious traffic
- Monitor device behavior closely for signs of exploitation until patches can be applied
# Verify current firmware version on Zyxel devices via CLI
show version
# Restrict management access to specific IP addresses
set service-control https allow-src-address 192.168.1.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
