Vulnerability in Zyxel firewalls may soon be widely exploited (CVE-2023-28771)

A recently fixed command injection vulnerability (CVE-2023-28771) affecting a variety Zyxel firewalls may soon be exploited in the wild, Rapid7 researchers have warned, after publishing a technical analysis and a PoC script that triggers the vulnerability and achieves a reverse root shell.

About CVE-2023-28771

CVE-2023-28771 affects:

  • Zyxel APT, USG FLEX, and VPN firewalls running versions v4.60 to v5.35 of the ZDL firmware, and
  • Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73

These firewall devices monitor and control network traffic, have VPN and SSL inspection capabilities, and offer additional protection against malware and other threats.

The vulnerability arises from improper error message handling, and can be triggered by sending a specially crafted UDP packet to port 500 in vulnerable devices’ WAN interface, allowing attackers to achieve OS command execution as the root user.

“The vulnerable component is the Internet Key Exchange (IKE) packet decoder, which forms part of the IPSec VPN service offered by the device,” Rapid7 researchers said, but pointed out that a VPN does not need to be configured on the device for the device to be vulnerable.

The vulnerability is easy to weaponize and successful exploitation does not hinge on prior authentication.

“CVE-2023-28771 is not known to be exploited in the wild as of May 19, 2023, though we expect this to change,” the researchers noted.

“There are some 42,000 instances of Zyxel web interfaces exposed to the public internet. This does not, however, capture vulnerable VPN implementations, which means real exposure is likely much higher.”

What should you do?

Discovered and reported by TRAPA Security researchers, the vulnerability has been fixed by Zyxel in April 2023, with the release of ZLD v5.36 and ZLD v4.73 Patch 1.

Admins of vulnerable devices are advised to upgrade to the latest firmware update as quickly as possible. Enabling automatic firmware updates is also generally a good idea.

UPDATE (May 25, 2023, 03:35 a.m. ET):

Zyxel has relased new patches to fix two buffer overflow flaws (CVE-2023-33009, CVE-2023-33010) affecting ATP, USG FLEX, USG FLEX50(W)/USG20(W)-VPN, VPN and ZyWALL/USG firewalls. These could lead to DoS or even RCE, so be sure to implement those fixes, as well.

UPDATE (May 26, 2023, 01:25 a.m. ET):

The Mirai botnet is exploiting CVE-2023-28771 en masse.

Don't miss