Ongoing attacks capitalize on critical vulnerability in Zyxel firewalls

Widespread exploitation of a critical command injection vulnerability (CVE-2023-28771) in Zyxel networking devices has been observed, with hackers using it to install malware.

The flaw exists in the default configuration of affected firewall and VPN devices, allowing unauthenticated remote code execution through a specially crafted IKEv2 packet to UDP port 500.

Zyxel has released patches for the vulnerability, urging users of specific product versions to apply them. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert, confirming active exploitation and advising federal agencies to update by June 21, 2023.

Rapid7 has independently verified the ongoing exploitation of the flaw. One group behind the attacks is a Mirai-based botnet malware, while other threat actors have also been observed exploiting the vulnerability.

It is worth noting that Zyxel has recently addressed two other critical flaws (CVE-2023-33009 and CVE-2023-33010) affecting the same firewall and VPN products, which could lead to denial-of-service or arbitrary code execution.

System administrators are strongly advised to promptly apply the available security updates, with the recommended firmware versions being ‘ZLD V5.36 Patch 2’ for ATP, USG FLEX, and VPN- ZLD, and ‘ZLD V4.73 Patch 2’ for ZyWALL. This will help mitigate emerging risks and prevent malicious actors from targeting the more recent vulnerabilities.