Security News > 2023 > May > Hackers exploit critical Zyxel firewall flaw in ongoing attacks

Hackers exploit critical Zyxel firewall flaw in ongoing attacks
2023-05-31 17:54

Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware.

The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device.

This alert coincides with additional verification from Rapid7 today that confirms the active exploitation of the flaw.

One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware that, according to Shadowserver, started launching attacks on May 26, 2023.

While the Mirai threat is typically limited to DDoS, other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations.

It is also important to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products.


News URL

https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-zyxel-firewall-flaw-in-ongoing-attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-05-24 CVE-2023-33010 Classic Buffer Overflow vulnerability in Zyxel products
A buffer overflow vulnerability in the ID processing function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
network
low complexity
zyxel CWE-120
critical
9.8
2023-05-24 CVE-2023-33009 Classic Buffer Overflow vulnerability in Zyxel products
A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.60 through 5.36 Patch 1, USG FLEX series firmware versions 4.60 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.60 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.60 through 5.36 Patch 1, VPN series firmware versions 4.60 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.60 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device.
network
low complexity
zyxel CWE-120
critical
9.8
2023-04-25 CVE-2023-28771 OS Command Injection vulnerability in Zyxel products
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
network
low complexity
zyxel CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 485 3 121 77 45 246