Hackers exploit critical Zyxel firewall flaw in ongoing attacks


Hackers are performing widespread exploitation of a critical-severity command injection flaw in Zyxel networking devices, tracked as CVE-2023-28771, to install malware.

The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device.

Zyxel released patches for the vulnerability on April 25, 2023, warning users of the following product versions to apply to resolve the vulnerability:

  • ATP – ZLD V4.60 to V5.35
  • USG FLEX – ZLD V4.60 to V5.35
  • VPN- ZLD V4.60 to V5.35
  • ZyWALL/USG – ZLD V4.60 to V4.73

Today, CISA published an alert warning that CVE-2023-28771 is being actively exploited by attackers, urging federal agencies to apply the available update by June 21, 2023.


This alert coincides with additional verification from Rapid7 today that confirms the active exploitation of the flaw.

One of the activity clusters confirmed to exploit CVE-2023-28771 is a Mirai-based botnet malware that, according to Shadowserver, started launching attacks on May 26, 2023.

Similar activity was spotted by cybersecurity researcher Kevin Beaumont a day earlier, who highlighted the use of a publicly available PoC (proof of concept) exploit.

While the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations.

It is also important to note that Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products.

The two flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code.

System admins should apply the available security updates as soon as possible to mitigate emerging exploitation risks, as the more recent flaws are bound to get the attention of malicious actors.

At the time of writing, the latest available firmware version users are recommended to upgrade to is ‘ZLD V5.36 Patch 2’ for ATP – ZLD, USG FLEX, and VPN- ZLD, and ‘ZLD V4.73 Patch 2’ for ZyWALL.


Related posts

Illegal Solaris darknet market hijacked by competitor Kraken

Sarah Henriquez

Malicious extension lets attackers control Google Chrome remotely

Sarah Henriquez

Ukraine links data-wiping attack on news agency to Russian hackers

Sarah Henriquez

Leave a Comment