A Mirai botnet variant has been taking advantage of a recently patched vulnerability, identified as CVE-2023-28771, to compromise numerous Zyxel firewalls. The Taiwan-based networking device manufacturer made customers aware of the security issue on April 25, when it released patches for affected ATP, VPN, USG Flex, and ZyWALL/USG firewalls. The OS command injection vulnerability was discovered by Trapa Security and is caused by improper error message handling in some firewalls. This flaw could enable an unauthenticated attacker to execute OS commands remotely by sending specially crafted packets to the targeted device.
By mid-May, security experts reported successfully reproducing the exploit, and Rapid7 cautioned a few days later that the vulnerability would likely be exploited in the wild. Rapid7 observed 42,000 instances of internet-exposed Zyxel device web interfaces, but noted that the actual number of exploitable devices was probably much higher. Researcher Kevin Beaumont reported on Thursday that CVE-2023-28771 has been 'mass exploited' by a Mirai botnet variant, with many SMB appliances being impacted. Mirai botnets typically use compromised devices to launch DDoS attacks, which can be massive.
It's not unusual for hackers to target Zyxel devices using recently patched vulnerabilities. Zyxel announced fixes for two other potentially serious flaws affecting its firewalls this week. The bugs, identified as CVE-2023-33009 and CVE-2023-33010, are buffer overflows that can allow unauthenticated attackers to cause a DoS condition or execute arbitrary code on affected devices.