CVE-2023-28770 : The sensitive information exposure vulnerability in the CGI “Export

The sensitive information exposure vulnerability in the CGI “Export_Log” and the binary “zcmd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to read the system files and to retrieve the password of the supervisor from the encrypted file.

Published 2023-04-27 09:15:10

Updated 2025-01-31 19:15:13

Source Zyxel Corporation

View at NVD, CVE.org

Products affected by CVE-2023-28770

Zyxel » Dx5401-b0 Firmware
Versions before (<) 5.17\(abyo.1\)c0
cpe:2.3:o:zyxel:dx5401-b0_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Zyxel » Dx5401-b0 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-28770

EPSS FAQ

79.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2023-28770

Zyxel chained RCE using LFI and weak password derivation algorithm

Disclosure Date: 2022-02-01

First seen: 2023-09-11

exploit/linux/http/zyxel_lfi_unauth_ssh_rce

This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure

More information

CVSS scores for CVE-2023-28770

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-31
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	Zyxel Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-28770

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security@zyxel.com.tw (Primary)
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)

References for CVE-2023-28770

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities

Zyxel security advisory for multiple vulnerabilities | Zyxel Networks
Vendor Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/172277/Zyxel-Chained-Remote-Code-Execution.html

Zyxel Chained Remote Code Execution ≈ Packet Storm
https://packetstorm.news/files/id/172277

Jump to