Security news that informs and inspires

Threat Actors Exploit Critical Zyxel Flaw in Botnet Attacks


Threat actors are exploiting a critical-severity Zyxel flaw in order to add vulnerable devices to a Mirai botnet variant.

While the Taiwanese networking manufacturer released a patch addressing the flaw on April 25, many devices have not received updates yet and remain open to attacks. The flaw (CVE-2023-28771) is an operating system command injection bug that stems from improper error message handling in certain firewall and VPN devices.

“As of May 26, the vulnerability is being widely exploited, and compromised Zyxel devices are being leveraged to conduct downstream attacks as part of a Mirai-based botnet,” said researchers with Rapid7 in a Wednesday advisory. “Mirai botnets are frequently used to conduct DDoS attacks.”

Researchers said that exploitation of the flaw could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted IKEv2 packets to the UDP port 500 on affected devices. The simplicity of exploitation, paired with the fact that the vulnerability exists on default configurations of affected devices (and is exploitable on the Wide Area Network, or WAN, interface, which is supposed to be exposed to the internet), makes the flaw even more concerning.

"The vulnerability is very easy to exploit, to the point that I would call it trivial to exploit," said Stephen Fewer, principal security researcher with Rapid7. "An attacker needs to send a single IKEv2 packet to a vulnerable device and this packet will contain a command string that will be executed by the operating system. Unlike a memory corruption vulnerability - for which reliable exploitation can depend on a variety of factors, some of which an attacker cannot fully control - when exploiting a command injection vulnerability the reliability is very high."

The vulnerability impacts Zyxel’s ATP series (ZLD V4.60 to V5.35), USG Flex (ZLD V4.60 to V5.35), VPN (ZLD V4.60 to V5.35) and ZyWall/USG (ZLD V4.60 to V4.73).

While it’s unknown how many vulnerable devices are being exploited, Shodan shows at least 42,000 instances of Zyxel devices on the public internet - and researchers said they believe the actual number of exposed and vulnerable devices is much higher. At the same time, the Shadowserver Foundation said over 700 of its IKEv2-aware honeypot sensors have seen internet-wide sweeps of CVE-2023-28771 since May 26. Businesses that rely on impacted Zyxel devices are urged to apply updates, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added the flaw to its Known Exploited Vulnerabilities catalog, giving federal agencies a due date of June 21 to patch the flaw.

“We strongly recommend that users of the affected Zyxel products update to the latest firmware on an emergency basis,” said Rapid7 researchers. “At time of writing, the latest firmware version is 5.36 Patch 2, or 4.73 Patch 2 for ZyWALL/USG.”