News

Attackers exploit a critical bug in Zyxel devices

Security Parrot Editorial Team

Zyxel Firewalls Vulnerability CVE-2023-28771 Exploited by Hackers

Experts have warned that the critical vulnerability CVE-2023-28771 in Zyxel firewalls has already been exploited by hackers. In particular, the Mirai botnet is actively using the fresh bug. The vulnerability was discovered by TRAPA Security specialists and received a rating of 9.8 points out of 10 possible on the CVSS vulnerability rating scale.

Vulnerable Versions

The bug, fixed at the end of April, was related to incorrect handling of error messages in some versions of the firewall and allowed an unauthenticated attacker to “remotely execute commands by sending custom packets to a vulnerable device.” The problem affected the following versions: ATP (ZLD versions V4.60 to V5.35, fixed in ZLD V5.36); USG FLEX (ZLD versions V4.60 to V5.35, fixed in ZLD V5.36); VPN (ZLD V4.60 to V5.35, fixed in ZLD V5.36); ZyWALL/USG (ZLD V4.60 to V4.73, fixed in ZLD V4.73 Patch 1).

Hackers Exploiting Vulnerability

As specialists from the US Infrastructure and Cyber ​​Security Agency (CISA) have now warned, the fresh vulnerability is already being used by hackers with might and main. Details about these attacks were revealed by information security specialists from Rapid7, Shadowserver, as well as well-known expert Kevin Beaumont.
One of the malware clusters that uses CVE-2023-28771 is a Mirai-based malware that launched its attacks on May 26, 2023. Such malware is usually used to launch DDoS attacks, but it can also perform other tasks. The researchers note that the attacks use a publicly available PoC exploit for this vulnerability.

Compromised Devices

Shadowserver experts warn device owners that any vulnerable device that has not yet received patches should be considered compromised. The fact is that, according to Shadowserver data collected over the past 10 days, 25 of the 62 most active “downward attacks” (that is, attempts to hack into other devices connected to the Internet) came from the IP addresses of Zyxel devices.

Protecting Against Vulnerability

To protect against the vulnerability, Zyxel has released patches for the affected versions of the firewall. It is recommended that all users of these versions update their firewalls as soon as possible. In addition, users should also take additional security measures, such as using strong passwords, two-factor authentication, and regularly monitoring their networks for suspicious activity.
The discovery of the CVE-2023-28771 vulnerability in Zyxel firewalls is a reminder of the importance of regularly patching and updating devices. It is also a reminder of the need for organizations to take additional security measures to protect their networks from malicious actors.

Share this Article
Exit mobile version
Lost your password?