Zyxel Customers Urged to Patch Exploited Bug

Written by

The security community is urging Zyxel networking device users to update their firewalls and VPNs after reports that hackers are actively exploiting a vulnerability in the wild to enable remote code execution.

The Taiwanese vendor fixed CVE-2023-28771 on April 25, revealing that the flaw affects its ATP, USG Flex, VPN and ZyWall/USG products, from versions ZLD V4.60 to V5.35. In the case of the ZyWall/USG product it impacts versions ZLD V4.60 to V4.73.

“Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel warned in its advisory.

Read more on Zyxel security risks: Over 20,000 Zyxel Firewalls Still Exposed to Critical Bug.

Rapid7 explained in a blog post yesterday that the bug is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is designed to be exposed to the internet.

“Successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device,” it added.

Rapid7 warned that the CVE is being “widely exploited” to compromise devices and conscript them into a Mirai-based botnet, most likely for DDoS attacks.

In a further indication of the potential impact of the vulnerability, the US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities Catalog.

That means civilian federal agencies have until June 21 to patch it, although non-government organizations are also urged to take action on any vulnerabilities listed in the catalog.

As if that weren’t enough for Zyxel customers, the firm also published an advisory for two newer vulnerabilities – CVE-2023-33009 and CVE-2023-33010 – last week. These are buffer overflow vulnerabilities that can allow unauthenticated attackers to “cause a DoS condition or execute arbitrary code on affected devices,” according to Rapid 7.

Editorial image credit: Postmodern Studio / Shutterstock.com

What’s hot on Infosecurity Magazine?