Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices
CVEs: CVE-2023-37929, CVE-2024-0816
Summary
Zyxel has released patches for some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices affected by buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2023-37929
This buffer overflow vulnerability in the CGI program of some DSL/Ethernet CPE, and Wi-Fi extender devices could allow an authenticated remote attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.
CVE-2024-0816
This buffer overflow vulnerability in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, and Wi-Fi extender devices could allow an authenticated local attacker to cause DoS conditions by executing the CLI command with crafted strings on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerabilities, as shown in the tables below.
Models affected by CVE-2023-37929
| Product | Affected model | Affected version | Patch availability* |
| DSL/Ethernet CPE | DX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 |
| DX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| DX4510 | V5.17(ABYL.5)C0 | V5.17(ABYL.6)C0 | |
| DX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| DX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EMG3525-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| EMG5523-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| EX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3500-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3501-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3510 | V5.17(ABUP.9)C0 | V5.17(ABUP.11)C0 | |
| EX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5501-B0 | V5.17(ABRY.4)C0 | V5.17(ABRY.5)C0 | |
| EX5510 | V5.17(ABQX.8)C0 | V5.17(ABQX.9)C0 | |
| EX5512-T0 | V5.70(ACEG.2)C0 | V5.70(ACEG.3)C0 | |
| EX5600-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T0 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX7710-B0 | V5.18(ACAK.0)C0 | V5.18(ACAK.1)C0 | |
| VMG3625-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| VMG8623-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 |
| AX7501-B1 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 | |
| Wi-Fi extender | WX3100-T0 | V5.50(ABVL.3)C0 | V5.50(ABVL.4)C0 |
| WX5600-T0 | V5.70(ACEB.2)C0 | V5.70(ACEB.2.2)C0 | |
| WX5610-B0 | V5.18(ACGJ.0)C0 | V5.18(ACGJ.0)C1 |
* Please contact your Zyxel sales representative or support team for the file.
Models affected by CVE-2024-0816
| Product | Affected model | Affected version | Patch availability* |
| 5G NR/4G LTE CPE | LTE3202-M437 | V1.00(ABWF.3)C0 | Hotfix is available Standard patch V1.00(ABWF.4)C0 in August 2024 |
| LTE3301-Plus | V1.00(ABQU.5)C0 | Hotfix is available Standard patch V1.00(ABQU.6)C0 in August 2024 | |
| LTE5388-M804 | V1.00(ABSQ.4)C0 | Hotfix is available Standard patch V1.00(ABSQ.5)C0 in August 2024 | |
| LTE5398-M904 | V1.00(ABQV.4)C0 | Hotfix is available Standard patch V1.00(ABQV.5)C0 in August 2024 | |
| LTE7240-M403 | V2.00(ABMG.7)C0 | Hotfix is available Standard patch V2.00(ABMG.8)C0 in August 2024 | |
| LTE7480-M804 | V1.00(ABRA.8)C0 | Hotfix is available Standard patch V1.00(ABRA.9)C0 in August 2024 | |
| LTE7490-M904 | V1.00(ABQY.7)C0 | Hotfix is available Standard patch V1.00(ABQY.8)C0 in August 2024 | |
| NR5103 | V4.19(ABYC.5)C0 | Hotfix is available Standard patch V4.19(ABYC.6)C0 in August 2024 | |
| NR5103E | V1.00(ACDJ.1)b3 | Hotfix is available Standard patch V1.00(ACDJ.2)C0 in August 2024 | |
| NR5103EV2 | V1.00(ACIQ.0)C0 | Hotfix is available Standard patch V1.00(ACIQ.1)C0 in August 2024 | |
| NR5307 | V1.00(ACJT.0)b4 | Hotfix is available Standard patch V1.00(ACJT.0)C0 in August 2024 | |
| NR7101 | V1.00(ABUV.9)C0 | Hotfix is available Standard patch V1.00(ABUV.10)C0 in August 2024 | |
| NR7102 | V1.00(ABYD.2)C0 | Hotfix is available Standard patch V1.00(ABYD.3)C0 in August 2024 | |
| NR7103 | V1.00(ACCZ.2)C0 | Hotfix is available Standard patch V1.00(ACCZ.3)C0 in August 2024 | |
| NR7302 | V1.00(ACHA.2)C0 | Hotfix is available Standard patch V1.00(ACHA.3)C0 in August 2024 | |
| NR7303 | V1.00(ACEI.0)C0 | Hotfix is available Standard patch V1.00(ACEI.1)C0 in August 2024 | |
| NR7501 | V1.00(ACEH.0)C0 | Hotfix is available Standard patch V1.00(ACEH.1)C0 in August 2024 | |
| DSL/Ethernet CPE | DX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 |
| DX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| DX4510 | V5.17(ABYL.6)C0 | V5.17(ABYL.7)C0 | |
| DX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| DX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EMG3525-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| EMG5523-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| EX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3320-T0 | V5.71(YAK.2)D0 | V5.71(YAK.3)D0 | |
| EX3320-T1 | V5.71(YAP.0)C0 | V5.71(YAP.1)C0 | |
| EX3500-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3501-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3510 | V5.17(ABUP.11)C0 | V5.17(ABUP.12)C0 | |
| EX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5501-B0 | V5.17(ABRY.4)C0 | V5.17(ABRY.5)C0 | |
| EX5510 | V5.17(ABQX.9)C0 | V5.17(ABQX.10)C0 | |
| EX5512-T0 | V5.70(ACEG.2)C0 | V5.70(ACEG.3)C0 | |
| EX5600-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T0 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX7710-B0 | V5.18(ACAK.0)C0 | V5.18(ACAK.1)C0 | |
| VMG3625-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| VMG4005-B50A | V5.17(ABQA.2)C0 | V5.17(ABQA.2.1)C0 | |
| VMG4005-B60A | V5.17(ABQA.2)C0 | V5.17(ABQA.2.1)C0 | |
| VMG8623-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 |
| AX7501-B1 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 | |
| PM3100-T0 | V5.42(ACBF.1.2)C0 | V5.42(ACBF.2)C0 | |
| PM5100-T0 | V5.42(ACBF.1.2)C0 | V5.42(ACBF.2)C0 | |
| PM7300-T0 | V5.42(ABYY.1)C0 | V5.42(ABYY.2.1)C0 | |
| PX3321-T1 | V5.44(ACJB.0)C0 | V5.44(ACJB.1)C0 | |
| Wi-Fi extender | WX3100-T0 | V5.50(ABVL.3)C0 | V5.50(ABVL.4.1)C0 |
| WX3401-B0 | V5.17(ABVE.2)C0 | V5.17(ABVE.2.4)C0 | |
| WX5600-T0 | V5.70(ACDZ.2)C0 | V5.70(ACEB.2.2)C0 | |
| WX5610-B0 | V5.18(ACGJ.0)C0 | V5.18(ACGJ.0)C1 |
* Please contact your Zyxel sales representative or support team for the file.
Please note that the table does NOT include customized models for internet service providers (ISPs).
Got a question?
For ISPs, please contact your Zyxel sales or service representatives for further details. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
Acknowledgment
Thanks to the following security researchers:
- Xingyu Xu from the Institute of Software, Chinese Academy of Sciences (ISCAS) for CVE-2023-37929
- Marko Silokunnas from Telia Company for CVE-2024-0816
Revision history
2024-5-21: Initial release