{"cve":{"cve_id":"CVE-2023-28771","is_kev":true,"kev_date_added":"2023-05-31","kev_vendor_project":"Zyxel","kev_product":"Multiple Firewalls","kev_vulnerability_name":"Zyxel Multiple Firewalls OS Command Injection Vulnerability","kev_short_description":"Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG firewalls allow for improper error message handling which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device.","kev_required_action":"Apply updates per vendor instructions.","kev_due_date":"2023-06-21","kev_known_ransomware":false,"kev_notes":"https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls;   https://nvd.nist.gov/vuln/detail/CVE-2023-28771","kev_cwes":["CWE-78"],"epss_score":0.99284,"epss_percentile":0.99932,"epss_as_of":"2026-06-23","description":"Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.","published_at":"2023-04-25T00:00:00Z","last_modified_at":null,"cvss_v3_score":9.8,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"CRITICAL","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":true,"ssvc_technical_impact":"total","cwes":["CWE-78"],"nvd_references":["https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls","http://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-29T01:29:15.447901Z"},"effective_severity":"CRITICAL","badges":["kev","poc","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"atp-series-firmware","product_name":"ATP series firmware","version_start":"4.60 through 5.35","version_start_inclusive":true,"version_end":"4.60 through 5.35","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:atp-series-firmware:4.60 through 5.35:4.60 through 5.35"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"usg-flex-series-firmware","product_name":"USG FLEX series firmware","version_start":"4.60 through 5.35","version_start_inclusive":true,"version_end":"4.60 through 5.35","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:usg-flex-series-firmware:4.60 through 5.35:4.60 through 5.35"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"vpn-series-firmware","product_name":"VPN series firmware","version_start":"4.60 through 5.35","version_start_inclusive":true,"version_end":"4.60 through 5.35","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:vpn-series-firmware:4.60 through 5.35:4.60 through 5.35"},{"vendor_slug":"zyxel","vendor_name":"Zyxel","product_slug":"zywall-usg-series-firmware","product_name":"ZyWALL/USG series firmware","version_start":"4.60 through 4.73","version_start_inclusive":true,"version_end":"4.60 through 4.73","version_end_inclusive":true,"cpe23_uri":"cve5:zyxel:zywall-usg-series-firmware:4.60 through 4.73:4.60 through 4.73"}],"exploit_refs":[{"source":"nuclei","kind":"nuclei","url":"https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/zyxel/unauth-ztp-ping.yaml","title":"Unauthenticated ZyXEL USG ZTP - Detect","author":"dmartyn","disclosed_at":null}],"news":[],"references":[{"url":"https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"http://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html","source_type":"EXPLOIT","tags":["exploit"]}],"timeline":[{"type":"published","at":"2023-04-25T00:00:00Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2023-05-31T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"poc_available","at":"2026-06-24T00:29:48.638073Z","label":"Public PoC available","source":"nuclei"},{"type":"cvss_changed","at":"2026-06-28T17:27:44.223063Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:27:44.223063Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:27:44.223063Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"ssvc_changed","at":"2026-06-29T01:29:15.447901Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:29:15.447901Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-29T01:29:15.447901Z","label":"SSVC decision revised","source":"vulnrichment"}]}