What is Zyxel ATP/USG FLEX?
Zyxel ATP (Advanced Threat Protection), USG FLEX, USG FLEX 50(W), USG20(W)-VPN, VPN, and ZyWALL/USG are network security gateway and firewall appliances used by small-to-medium businesses and branch offices for perimeter security, SSL VPN connectivity, intrusion prevention, and content filtering. These appliances sit at the network edge and handle all inbound and outbound traffic, making them high-value targets: compromising a perimeter firewall provides attackers with network traffic visibility, VPN credential access, and a direct foothold on the protected internal network. Zyxel firewall vulnerabilities have been exploited by Mirai botnet operators, cryptomining groups, and sophisticated nation-state actors.
Overview
CVE-2023-33010 is a pre-authentication buffer overflow vulnerability in the ID processing function of multiple Zyxel firewall product lines. Like its companion CVE-2023-33009 (a buffer overflow in the notification function), CVE-2023-33010 allows an unauthenticated attacker with network access to trigger a buffer overflow that can result in remote code execution or denial of service on the affected appliance. Both vulnerabilities were patched simultaneously in Zyxel's May 24, 2023 advisory and added to CISA's KEV catalog together on June 5, 2023 — confirming active exploitation of both vulnerabilities.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| ATP Series | ZLD V4.32 to V5.36 Patch 2 | ZLD V5.36 Patch 2 |
| USG FLEX Series | ZLD V4.50 to V5.36 Patch 2 | ZLD V5.36 Patch 2 |
| USG FLEX 50(W) / USG20(W)-VPN | ZLD V4.16 to V5.36 Patch 2 | ZLD V5.36 Patch 2 |
| VPN Series | ZLD V4.30 to V5.36 Patch 2 | ZLD V5.36 Patch 2 |
| ZyWALL/USG Series | ZLD V4.09 to V4.73 Patch 1 | ZLD V4.73 Patch 1 |
Technical Details
CWE-120 (Buffer Copy without Checking Size of Input — Classic Buffer Overflow). Zyxel's firewall firmware contains an ID processing function that handles identity-related data in network packets or requests without properly validating input length before copying it into a fixed-size stack or heap buffer. An unauthenticated attacker can send a specially crafted packet with an oversized ID field that overflows the buffer, overwriting adjacent memory.
By controlling the overwritten memory — including stack return addresses or function pointers — an attacker can redirect execution to attacker-supplied shellcode (remote code execution), or cause the affected process to crash (denial of service). The vulnerability is pre-authentication, meaning no credentials or prior access to the device are required — only network connectivity to the firewall.
CVE-2023-33010 (ID processing function) and CVE-2023-33009 (notification function) are distinct buffer overflows in different code paths within the same firmware, both patched in the same ZLD V5.36 Patch 2 release. The simultaneous KEV addition of both CVEs confirms that attackers were exploiting multiple overflow paths.
Discovery
Discovered by TRAPA Security researchers, who identified both buffer overflow vulnerabilities (CVE-2023-33009 and CVE-2023-33010) and reported them to Zyxel. Zyxel coordinated the fix and released firmware patches alongside the advisory.
Exploitation Context
CVE-2023-33010 was added to CISA KEV alongside CVE-2023-33009, confirming both were actively exploited after public disclosure. Zyxel edge devices are recurring targets for botnet operators and advanced threat actors due to the prevalence of these devices at SMB network edges, the slow firmware update cadence common for this device class, and the significant access that a compromised perimeter firewall provides.
Nation-state actors (including Volt Typhoon / Bronze Silhouette) have used Zyxel VPN appliance vulnerabilities as initial access vectors in campaigns targeting critical infrastructure. Botnet operators use compromised Zyxel routers and firewalls as proxy/relay nodes and as a launching point for further attacks.
Remediation
- Apply Zyxel firmware updates per the May 2023 advisory — update to ZLD V5.36 Patch 2 or later for ATP/USG FLEX/VPN series, ZLD V4.73 Patch 1 or later for ZyWALL/USG.
- Also apply the patch for CVE-2023-33009 (notification function buffer overflow) — both vulnerabilities are addressed in the same firmware update.
- Disable remote management over WAN if not operationally required — Zyxel management interfaces should not be internet-accessible.
- Restrict all management access (HTTP/HTTPS/SSH) to dedicated management networks.
- Review firewall logs for unusual connections or traffic anomalies around and after the May 2023 disclosure date.
- After patching, audit running configuration for unauthorized changes to VPN settings, firewall rules, or administrator accounts.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-33010 |
| Vendor / Product | Zyxel — Multiple Firewalls |
| NVD Published | 2023-05-24 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-120 find similar ↗ |
| CISA KEV Added | 2023-06-05 |
| CISA KEV Deadline | 2023-06-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-05-24 | Zyxel publishes advisory patching CVE-2023-33009 and CVE-2023-33010 — two distinct buffer overflows in different firewall functions |
| 2023-06-05 | CISA adds CVE-2023-33009 and CVE-2023-33010 to Known Exploited Vulnerabilities catalog |
| 2023-06-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Zyxel Security Advisory — Multiple Buffer Overflow Vulnerabilities in Firewalls | Vendor Advisory |
| NVD — CVE-2023-33010 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |