Actively Exploited Zyxel Vulnerability under Scrutiny Following a Long Lull In Activity
Critical Zyxel Firewall Vulnerability Under Active Exploitation
A critical remote code execution (RCE) vulnerability, CVE-2023-28771, has been identified in Zyxel firewall products, including ATP, USG FLEX, VPN, and ZyWALL. This flaw, with a CVSS score of 9.8, allows attackers to execute arbitrary OS commands via the IKE decoder over UDP port 500, posing a significant security risk.
The vulnerability has been actively exploited since at least June 2023, with ongoing malicious activity targeting exposed devices worldwide. The exploitation attempts have been observed in various regions, making it a critical issue that network defenders should prioritise for patching and mitigation.
The vulnerability has been officially listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming its status as a significant threat. However, there is no clear or direct evidence linking its exploitation to Mirai botnet infections. The Mirai botnet historically targets IoT devices with weak credentials and known vulnerabilities, but this Zyxel vulnerability is a firewall RCE and is not currently reported as being leveraged by Mirai variants.
Network defenders are urged to urgently patch affected Zyxel devices and monitor traffic on UDP port 500 for signs of exploitation attempts. Additionally, any internet-exposed Zyxel firewalls should be considered high-risk until mitigated. Security teams are also encouraged to block the identified IPs, patch any internet-exposed Zyxel devices, and monitor them for post-exploitation activity.
The vulnerability affects multiple firewall models and was patched in 2023. The exploitation of vulnerabilities in legacy Zyxel devices has been a growing concern, with researchers from VulnCheck warning in February that hackers were trying to exploit vulnerabilities in end-of-life Zyxel devices. GreyNoise researchers have identified new IP addresses that were not involved in any exploitation-related activity over the prior two weeks. In January, GreyNoise researchers warned of hackers targeting a vulnerability, tracked as CVE-2024-40891, in Zyxel CPE devices.
Verizon Business and Zyxel did not immediately respond to requests for comment. Despite this, it is crucial for network administrators to take immediate action to secure their Zyxel firewalls and protect their networks from potential exploitation.
Read also:
- Microsoft's Patch Tuesday essential fixes: 12 critical vulnerabilities alongside a Remote Code Execution flaw in SharePoint
- Dynamic interplay of power and communication channels set the course for the network's new era
- Interview with Jimmy Mesta, Co-Founder and CTO of RAD Security, on the Real-Time Defense Company
- AI identifies fraud during a phone call by Bilin
