Hackers are widely exploiting a critical severity command injection flaw in Zyxel network devices, tracked as CVE-2023-28771, to install malware.
The flaw, which is present in the default configuration of the affected firewall and VPN devices, can be exploited to execute unauthenticated remote code using a specially crafted IKEv2 packet to UDP port 500 on the peripheral.
Zyxel released patches for the vulnerability April 25, 2023notifying users of the following product versions to apply to address the vulnerability:
- ATP-ZLD V4.60 to V5.35
- USG FLEX – ZLD V4.60 to V5.35
- VPN-ZLD V4.60 to V5.35
- ZyWALL/USG – ZLD V4.60 to V4.73
This alert coincides with an additional Rapid7 check today that confirms active operation of the fault.
One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based malware botnet which, according to Shadowserverbegan launching attacks on May 26, 2023.
A similar activity was spotted by cybersecurity researcher Kevin Beaumont a day earlier, which highlighted the use of a publicly available PoC (proof of concept) exploit.
While the Mirai threat is generally limited to DDoS (Distributed Denial of Service), other threat groups may engage in smaller scale and less noticeable exploitation to launch more powerful attacks against organizations.
It is also important to note that Zyxel recently patched two other critical gravity faultsCVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products.
Both flaws could allow unauthenticated attackers to impose a denial of service on vulnerable devices or execute arbitrary code.
System administrators should apply available security updates as soon as possible to mitigate emerging exploit risks, as newer flaws are sure to attract the attention of malicious actors.
At the time of writing, users are recommended to upgrade to the latest firmware version available to “ZLD V5.36 Patch 2” for ATP – ZLD, USG FLEX and VPN-ZLD, and “ZLD V4. 73 Patch 2” for ZyWALL. .