Those using a Zyxel firewall will want to get it updated as soon as possible. Researchers at TRAPA Security found flaws in how the devices handle error messaging. From Zyxel’s advisory:
Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
The issue is being tracked as CVE-2023-28771 and is rated 9.8 on the CVSS scoring system. As a point of reference, here’s a breakdown on the scoring system.
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0
Sources: Zyxel, NIST
Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.