SecurityWeek reports that four vulnerabilities impacting some Zyxel firewall and access point offerings have been addressed by the Taiwanese networking device manufacturer in newly released patches.
Threat actors could leverage the null pointer deference flaw, tracked as CVE-2023-6397, to facilitate denial-of-service conditions in vulnerable firewalls with activated "Anti-Malware" functionality, while the post-authentication command injection bug, tracked as CVE-2023-6398, could be exploited to enable operating system command execution through FTP among attackers with admin privileges, according to an advisory from Zyxel. Similar DoS conditions could be achieved by threat actors with IPSec VPN authentication through the abuse of the format string security issue, tracked as CVE-2023-6399, while another format string within IPSec VPN, tracked as CVE-2023-6764, could be exploited to cause unauthenticated remote code execution. However, Zyxel emphasized the challenges involved in exploiting the second format string bug, which needs an extensive awareness of both the configuration and memory layout of the targeted device.