Zyxel is warning clients of two critical-severity vulnerabilities in a number of of its firewall and VPN merchandise that attackers might leverage with out authentication.

Each safety points are buffer overflows and will enable denial-of-service (DoS) and distant code execution on weak gadgets.

“Zyxel has launched patches for firewalls affected by a number of buffer overflow vulnerabilities,” the seller says in a safety advisory. “Customers are suggested to put in them for optimum safety,” the corporate provides.

Buffer overflow points enable reminiscence manipulation, enabling attackers to jot down information past the allotted part. They usually result in system crashes however in some instances profitable exploitation can enable code execution on the system.

Zyxel’s newest patch addresses the next issues:

1. CVE-2023-33009: A buffer overflow vulnerability within the notification perform in some Zyxel merchandise, permitting an unauthenticated attacker to carry out distant code execution or impose DoS circumstances. (crucial severity rating of 9.8)
2. CVE-2023-33010: A buffer overflow vulnerability within the ID processing perform in some Zyxel merchandise, permitting an unauthenticated attacker to carry out distant code execution or impose DoS circumstances. (crucial severity rating of 9.8)

The corporate says that weak gadgets are working the next firmware:

• Zyxel ATP firmware variations ZLD V4.32 to V5.36 Patch 1 (fastened in ZLD V5.36 Patch 2)
• Zyxel USG FLEX firmware variations ZLD V4.50 to V5.36 Patch 1 (fastened in ZLD V5.36 Patch 2)
• Zyxel USG FLEX50(W) / USG20(W)-VPN firmware variations ZLD V4.25 to V5.36 Patch 1 (fastened in ZLD V5.36 Patch 2)
• Zyxel VPN firmware variations ZLD V4.30 to V5.36 Patch 1 (fastened in ZLD V5.36 Patch 2)
• Zyxel ZyWALL/USG firmware variations ZLD V4.25 to V4.73 Patch 1 (fastened in ZLD V4.73 Patch 2)

The seller recommends customers of the impacted merchandise apply the latest safety updates as quickly as potential to get rid of the danger of hackers exploiting the 2 flaws.

Gadgets working the weak variations above are utilized by small to medium-size companies to guard their community and to permit safe community entry (VPNs) to distant or home-based employees.

Menace actors preserve a watchful eye on any crucial flaws that affect such gadgets as they may facilitate easy accessibility to company networks.

Final week, cybersecurity researcher Kevin Beaumont reported {that a} command injection flaw that Zyxel fastened in April is actively exploited and it impacts the identical firewall and VPN merchandise as this time.

Final yr, CISA revealed a warning about hackers leveraging a distant code execution flaw in Zyxel firewall and VPN gadgets, urging system directors to use the firmware patches as quickly as potential.