Cyber Security Threat Summary:
A critical command injection flaw in Zyxel networking devices is being exploited by hackers in widespread attackers to install malware. Tracked as CVE-2023-28771, the flaw resides in the default configuration of impacted firewall and VPN devices and can be abused to perform unauthenticated remote code execution via a specially crafted IKEv2 packet to UDP port 500 on the impacted device. Below is a list of the impacted products:

• ATP – ZLD V4.60 to V5.35
• USG FLEX – ZLD V4.60 to V5.35
• VPN- ZLD V4.60 to V5.35
• ZyWALL/USG – ZLD V4.60 to V4.73

The flaw was addressed by Zyxel on April 25, 2023, with the vendor warning users to update to the latest version releases to resolve the vulnerability.

Security Officer Comments:
According to Shadowserver, the flaw is being actively exploited to build a Mirai-like botnet. Using the compromised devices, actors can then use them to perform distributed denial of service attacks against targeted individuals/organizations. ShadowServer noted that internet-wide sweeps were seen by over 700 of its IKEv2 honeypot sensors, since May 26th. The activity seems to have commenced after a proof-of-concept code was released on May 22, 2023, on GitHub. With a POC available to the public, we expect to see an increase in exploitation attempts in the wild.

Suggested Correction(s):
CISA has added the flaw to its catalog of known exploited vulnerabilities, urging organizations to apply the updates by June 21, 2023. At the time of writing, the latest available firmware version users are recommended to upgrade to is ‘ZLD V5.36 Patch 2’ for ATP – ZLD, USG FLEX, and VPN- ZLD, and ‘ZLD V4.73 Patch 2’ for ZyWALL. For more information, please refer to Zyxel’s advisory down below:

Link(s):
https://www.zyxel.com/global/en/
https://www.bleepingcomputer.com/