A post-authentication command injection vulnerability in the file upload binary in Zyxel ATP series firmware versions from 4.32 up to and including 5.37 Patch 1, USG FLEX series firmware versions from 4.50 up to and including 5.37 Patch 1, USG FLEX 50(W) series firmware versions from 4.16 up to and including 5.37 Patch 1, USG20(W)-VPN series firmware versions from 4.16 up to and including 5.37 Patch 1, USG FLEX H series firmware versions from 1.10 up to and including 1.10 Patch 1, NWA50AX firmware versions up to and including 6.29(ABYW.3), WAC500 firmware versions up to and including 6.65(ABVS.1), WAX300H firmware versions up to and including 6.60(ACHF.1), and WBE660S firmware versions up to and including 6.65(ACGG.1) could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands on an affected device via FTP.
Vulmon