Zyxel, a networking device manufacturer based in Taiwan, is strongly advising customers to update the firmware of their ATP, USG Flex, VPN, and ZyWALL/USG firewall devices. The update is necessary to avoid exploitation of recently patched vulnerabilities, which are tracked as CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010. These vulnerabilities can lead to operating system (OS) command execution, remote code execution (RCE), and denial-of-service (DoS) attacks.
The first of these issues, CVE-2023-28771, was discovered in late April. Zyxel released patches for it, warning that the vulnerability could be exploited remotely without authentication by sending specially crafted packets to a vulnerable device. In mid-May, security researchers successfully reproduced the exploit targeting CVE-2023-28771. Rapid7 warned that the vulnerability would likely be mass-exploited in the wild, as tens of thousands of Zyxel device web interfaces were accessible from the internet.
Shortly after, a Mirai variant was observed exploiting the bug to ensnare unpatched devices in a DDoS-capable botnet. Around the same time, Zyxel released patches for CVE-2023-33009 and CVE-2023-33010. Now, Zyxel is once again raising the alarm on the ongoing attacks and urging customers to install the available patches as soon as possible to prevent exploitation.
Zyxel has previously informed customers of the available patches through multiple channels, such as security advisory newsletters, push notifications via web GUIs, and scheduled firmware upgrades for cloud-based devices. The company also recommends customers take additional precautions, like disabling HTTP/HTTPS services from the WAN if unused, enabling policy control and only allowing access from trusted IPs, enabling geoIP filtering, and disabling UDP ports 500 and 4500 if unused.
To detect potential malware infections, customers should be on the lookout for symptoms like unresponsive devices, unreachable web GUIs or SSH management interfaces, network interruptions, and disconnecting VPN connections. More information on the addressed vulnerabilities can be found on Zyxel's security advisories page.