Actively Exploited Zyxel Vulnerability under Scrutiny Following a Long Lull In Activity
Critical Zyxel Firewall Vulnerability Under Active Exploitation
A critical remote code execution (RCE) vulnerability, CVE-2023-28771, has been identified in Zyxel firewall products, including ATP, USG FLEX, VPN, and ZyWALL. This flaw, with a CVSS score of 9.8, allows attackers to execute arbitrary OS commands via the IKE decoder over UDP port 500, posing a significant security risk.
The vulnerability has been actively exploited since at least June 2023, with ongoing malicious activity targeting exposed devices worldwide. The exploitation attempts have been observed in various regions, making it a critical issue that network defenders should prioritise for patching and mitigation.
The vulnerability has been officially listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming its status as a significant threat. However, there is no clear or direct evidence linking its exploitation to Mirai botnet infections. The Mirai botnet historically targets IoT devices with weak credentials and known vulnerabilities, but this Zyxel vulnerability is a firewall RCE and is not currently reported as being leveraged by Mirai variants.
Network defenders are urged to urgently patch affected Zyxel devices and monitor traffic on UDP port 500 for signs of exploitation attempts. Additionally, any internet-exposed Zyxel firewalls should be considered high-risk until mitigated. Security teams are also encouraged to block the identified IPs, patch any internet-exposed Zyxel devices, and monitor them for post-exploitation activity.
The vulnerability affects multiple firewall models and was patched in 2023. The exploitation of vulnerabilities in legacy Zyxel devices has been a growing concern, with researchers from VulnCheck warning in February that hackers were trying to exploit vulnerabilities in end-of-life Zyxel devices. GreyNoise researchers have identified new IP addresses that were not involved in any exploitation-related activity over the prior two weeks. In January, GreyNoise researchers warned of hackers targeting a vulnerability, tracked as CVE-2024-40891, in Zyxel CPE devices.
Verizon Business and Zyxel did not immediately respond to requests for comment. Despite this, it is crucial for network administrators to take immediate action to secure their Zyxel firewalls and protect their networks from potential exploitation.
- The urgent need for network administrators to patch their Zyxel firewall devices, considering the active exploitation of the CVE-2023-28771 vulnerability, is crucial in the Face of cybersecurity risks posed by this remote code execution (RCE) flaw.
- Despite the patch for the vulnerability in 2023, the exploitation of vulnerabilities in legacy Zyxel devices, such as CVE-2024-40891 in Zyxel CPE devices, still remains a significant concern in the realm of cybersecurity and technology.
