Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices
CVEs: CVE-2023-37929, CVE-2024-0816
Summary
Zyxel has released patches for some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices affected by buffer overflow vulnerabilities. Users are advised to install them for optimal protection.
What are the vulnerabilities?
CVE-2023-37929
This buffer overflow vulnerability in the CGI program of some DSL/Ethernet CPE, WiFi extender, and home router devices could allow an authenticated remote attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.
CVE-2024-0816
This buffer overflow vulnerability in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices could allow an authenticated local attacker to cause DoS conditions by executing the CLI command with crafted strings on an affected device.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the vulnerable products that are within their vulnerability support period and released patches to address the vulnerabilities, as shown in the tables below.
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| DSL/Ethernet CPE | DX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 |
| DX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| DX4510 | V5.17(ABYL.5)C0 | V5.17(ABYL.6)C0 | |
| DX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| DX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EMG3525-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| EMG5523-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| EX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3500-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3501-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3510 | V5.17(ABUP.9)C0 | V5.17(ABUP.11)C0 | |
| EX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5501-B0 | V5.17(ABRY.4)C0 | V5.17(ABRY.5)C0 | |
| EX5510 | V5.17(ABQX.8)C0 | V5.17(ABQX.9)C0 | |
| EX5512-T0 | V5.70(ACEG.2)C0 | V5.70(ACEG.3)C0 | |
| EX5600-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T0 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX7710-B0 | V5.18(ACAK.0)C0 | V5.18(ACAK.1)C0 | |
| VMG3625-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| VMG8623-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.1)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 |
| AX7501-B1 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 | |
| WiFi extender | WX3100-T0 | V5.50(ABVL.3)C0 | V5.50(ABVL.4)C0 |
| WX5600-T0 | V5.70(ACEB.2)C0 | V5.70(ACEB.2.2)C0 | |
| WX5610-B0 | V5.18(ACGJ.0)C0 | V5.18(ACGJ.0)C1 | |
| Home router | NBG7510 | V1.00(ABZY.5)C0 | V1.00(ABZY.6)C0 |
| Product | Affected model | Affected version | Patch availability* |
|---|---|---|---|
| 5G NR/4G LTE CPE | LTE3202-M437 | V1.00(ABWF.3)C0 | Hotfix is available Standard patch V1.00(ABWF.4)C0 in August 2024 |
| LTE3301-Plus | V1.00(ABQU.5)C0 | Hotfix is available Standard patch V1.00(ABQU.6)C0 in August 2024 |
|
| LTE5388-M804 | V1.00(ABSQ.4)C0 | Hotfix is available Standard patch V1.00(ABSQ.5)C0 in August 2024 |
|
| LTE5398-M904 | V1.00(ABQV.4)C0 | Hotfix is available Standard patch V1.00(ABQV.5)C0 in August 2024 |
|
| LTE7240-M403 | V2.00(ABMG.7)C0 | Hotfix is available Standard patch V2.00(ABMG.8)C0 in August 2024 |
|
| LTE7480-M804 | V1.00(ABRA.8)C0 | Hotfix is available Standard patch V1.00(ABRA.9)C0 in August 2024 |
|
| LTE7490-M904 | V1.00(ABQY.7)C0 | Hotfix is available Standard patch V1.00(ABQY.8)C0 in August 2024 |
|
| NR5103 | V4.19(ABYC.5)C0 | Hotfix is available Standard patch V4.19(ABYC.6)C0 in August 2024 |
|
| NR5103E | V1.00(ACDJ.1)b3 | Hotfix is available Standard patch V1.00(ACDJ.2)C0 in August 2024 |
|
| NR5103EV2 | V1.00(ACIQ.0)C0 | Hotfix is available Standard patch V1.00(ACIQ.1)C0 in August 2024 |
|
| NR5307 | V1.00(ACJT.0)b4 | Hotfix is available Standard patch V1.00(ACJT.0)C0 in August 2024 |
|
| NR7101 | V1.00(ABUV.9)C0 | Hotfix is available Standard patch V1.00(ABUV.10)C0 in August 2024 |
|
| NR7102 | V1.00(ABYD.2)C0 | Hotfix is available Standard patch V1.00(ABYD.3)C0 in August 2024 |
|
| NR7103 | V1.00(ACCZ.2)C0 | Hotfix is available Standard patch V1.00(ACCZ.3)C0 in August 2024 |
|
| NR7302 | V1.00(ACHA.2)C0 | Hotfix is available Standard patch V1.00(ACHA.3)C0 in August 2024 |
|
| NR7303 | V1.00(ACEI.0)C0 | Hotfix is available Standard patch V1.00(ACEI.1)C0 in August 2024 |
|
| NR7501 | V1.00(ACEH.0)C0 | Hotfix is available Standard patch V1.00(ACEH.1)C0 in August 2024 |
|
| Nebula FWA505 | V1.18(ACKO.1)C0 | Hotfix is available Standard patch V1.18(ACKO.2)C0 in July 2024 |
|
| Nebula FWA510 | V1.18(ACGD.1)C0 | Hotfix is available Standard patch V1.18(ACGD.2)C0 in July 2024 |
|
| Nebula FWA710 | V1.17(ACGC.0)C0 | Hotfix is available Standard patch V1.18(ACGC.2) in July 2024 |
|
| Nebula LTE3301-PLUS | V1.17(ACCA.0)C0 | Hotfix is available Standard patch V1.18(ACCA.2)C0 in July 2024 |
|
| Nebula LTE7461-M602 | V1.15(ACEV.3)C0 | Hotfix is available | |
| Nebula NR5101 | V1.16(ACCG.0)C0 | Hotfix is available | |
| Nebula NR7101 | V1.16(ACCC.0)C0 | Hotfix is available | |
| DSL/Ethernet CPE | DX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 |
| DX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| DX4510 | V5.17(ABYL.6)C0 | V5.17(ABYL.7)C0 | |
| DX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| DX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EMG3525-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| EMG5523-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| EMG5723-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| EX3300-T1 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3301-T0 | V5.50(ABVY.4)C0 | V5.50(ABVY.4.2)C0 | |
| EX3320-T0 | V5.71(YAK.2)D0 | V5.71(YAK.3)D0 | |
| EX3320-T1 | V5.71(YAP.0)C0 | V5.71(YAP.1)C0 | |
| EX3500-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3501-T0 | V5.44(ACHR.0)C0 | V5.44(ACHR.1)C0 | |
| EX3510 | V5.17(ABUP.11)C0 | V5.17(ABUP.12)C0 | |
| EX5401-B0 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5401-B1 | V5.17(ABYO.5)C0 | V5.17(ABYO.5.1)C0 | |
| EX5501-B0 | V5.17(ABRY.4)C0 | V5.17(ABRY.5)C0 | |
| EX5510 | V5.17(ABQX.9)C0 | V5.17(ABQX.10)C0 | |
| EX5512-T0 | V5.70(ACEG.2)C0 | V5.70(ACEG.3)C0 | |
| EX5600-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T0 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX5601-T1 | V5.70(ACDZ.2)C0 | V5.70(ACDZ.2.4)C0 | |
| EX7710-B0 | V5.18(ACAK.0)C0 | V5.18(ACAK.1)C0 | |
| VMG3625-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| VMG3927-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| VMG4005-B50A | V5.17(ABQA.2)C0 | V5.17(ABQA.2.1)C0 | |
| VMG4005-B60A | V5.17(ABQA.2)C0 | V5.17(ABQA.2.1)C0 | |
| VMG8623-T50B | V5.50(ABPM.8)C0 | V5.50(ABPM.8.3)C0 | |
| VMG8825-T50K | V5.50(ABOM.8.2)C0 | V5.50(ABOM.8.3)C0 | |
| Fiber ONT | AX7501-B0 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 |
| AX7501-B1 | V5.17(ABPC.4)C0 | V5.17(ABPC.4.1)C0 | |
| PM3100-T0 | V5.42(ACBF.1.2)C0 | V5.42(ACBF.2)C0 | |
| PM5100-T0 | V5.42(ACBF.1.2)C0 | V5.42(ACBF.2)C0 | |
| PM7300-T0 | V5.42(ABYY.1)C0 | V5.42(ABYY.2.1)C0 | |
| PX3321-T1 | V5.44(ACJB.0)C0 | V5.44(ACJB.1)C0 | |
| WiFi extender | WX3100-T0 | V5.50(ABVL.3)C0 | V5.50(ABVL.4.1)C0 |
| WX3401-B0 | V5.17(ABVE.2)C0 | V5.17(ABVE.2.4)C0 | |
| WX5600-T0 | V5.70(ACDZ.2)C0 | V5.70(ACEB.2.2)C0 | |
| WX5610-B0 | V5.18(ACGJ.0)C0 | V5.18(ACGJ.0)C1 | |
| Home router | NBG7510 | V1.00(ABZY.6)C0 | V1.00(ABZY.7)C0 |
*Please reach out to your local Zyxel support team for the file.
Please note that the tables do NOT include customized models for internet service providers (ISPs).
For ISPs, please contact your Zyxel sales or service representatives for further details.
For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings.
For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel’s Community for further assistance.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
Acknowledgment
Thanks to the following security researchers:
- Xingyu Xu from the Institute of Software, Chinese Academy of Sciences (ISCAS) for CVE-2023-37929
- Marko Silokunnas from Telia Company for CVE-2024-0816
Revision history
2024-5-21: Initial release