Hackers are taking advantage of a critical command injection flaw in Zyxel networking devices, identified as CVE-2023-28771, to install malware. The vulnerability, found in the default configuration of affected firewall and VPN devices, allows for unauthenticated remote code execution using a specially crafted IKEv2 packet sent to UDP port 500 on the device. Zyxel released patches for the vulnerability on April 25, 2023, and advised users of specific product versions to apply the patches to resolve the issue.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that CVE-2023-28771 is being actively exploited by attackers and urged federal agencies to apply the available update by June 21, 2023. This alert is in line with additional confirmation from Rapid7 today that verifies the active exploitation of the flaw. One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware, which, according to Shadowserver, began launching attacks on May 26, 2023. Similar activity was detected by cybersecurity researcher Kevin Beaumont a day earlier, who pointed out the use of a publicly available PoC (proof of concept) exploit.
Although the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations. It is also crucial to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products. These two flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code.
System administrators should apply the available security updates as soon as possible to mitigate emerging exploitation risks, as the more recent flaws are bound to get the attention of malicious actors. At the time of writing, the latest available firmware version users are recommended to upgrade to is ‘ZLD V5.36 Patch 2’ for ATP – ZLD, USG FLEX, and VPN- ZLD, and ‘ZLD V4.73 Patch 2’ for ZyWALL.