Security News > 2023 > May > Vulnerability in Zyxel firewalls may soon be widely exploited (CVE-2023-28771)
A recently fixed command injection vulnerability affecting a variety Zyxel firewalls may soon be exploited in the wild, Rapid7 researchers have warned, after publishing a technical analysis and a PoC script that triggers the vulnerability and achieves a reverse root shell.
Zyxel APT, USG FLEX, and VPN firewalls running versions v4.60 to v5.35 of the ZDL firmware, and.
The vulnerability arises from improper error message handling, and can be triggered by sending a specially crafted UDP packet to port 500 in vulnerable devices' WAN interface, allowing attackers to achieve OS command execution as the root user.
"The vulnerable component is the Internet Key Exchange packet decoder, which forms part of the IPSec VPN service offered by the device," Rapid7 researchers said, but pointed out that a VPN does not need to be configured on the device for the device to be vulnerable.
"There are some 42,000 instances of Zyxel web interfaces exposed to the public internet. This does not capture vulnerable VPN implementations, which means real exposure is likely much higher."
Discovered and reported by TRAPA Security researchers, the vulnerability has been fixed by Zyxel in April 2023, with the release of ZLD v5.36 and ZLD v4.73 Patch 1.