External risk intelligence

Zyxel Firewall Remote Command Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2023-28771

Zyxel firewall and VPN devices are affected by a vulnerability that allows unauthenticated attackers to execute OS commands remotely. This impacts the confidentiality, integrity, and availability of systems and data, posing a significant business risk. Exploitation by botnets has been observed, increasing the potential

5Halo Surface Signal

OS Command Injection

Zyxel Atp100 Firmware

4.60 to before 5.364.60 to before 5.354.60 to before 4.734.73

External exposure likelihood

Halo Surface Signal score for CVE-2023-28771

The affected products are Zyxel firewalls, VPN gateways, and security appliances. These devices are designed to sit at the network edge to provide connectivity and security, making their management interfaces or IKE packet processing services public-facing by design in normal deployment scenarios.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Zyxel ZyWALL/USG, VPN, USG FLEX, and ATP series firmware.

  • Improper error message handling.
  • Allows remote OS command execution.
  • Can lead to device compromise.

Attack Path

How an attacker could exploit the issue

This vulnerability affects Zyxel firewalls, VPN devices, and security appliances. An attacker can exploit this by sending specially crafted packets to an affected device, potentially leading to the execution of operating system commands. This could impact the confidentiality, integrity, and availability of the affected systems and any data they process. The attacker's access to the system could allow for further malicious activities.

  • Network exposure is required.
  • Unauthenticated attacker sends crafted packets.
  • Remote command execution and system control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk, as an unauthenticated attacker with a moderate skill level could remotely execute operating system commands on affected Zyxel devices. Exploitation requires sending crafted packets to the device, potentially leading to the compromise of sensitive data, disruption of services, and unauthorized access to the network. Organizations should prioritize addressing this vulnerability due to its critical severity and the potential for widespread impact.

  • Attacker skill level: Moderate
  • Required access or conditions: Network access
  • Business risk or urgency: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An unauthenticated attacker could remotely execute operating system commands on affected Zyxel devices by sending specially crafted network packets. This vulnerability presents a critical risk, potentially allowing for complete system compromise and unauthorized access to sensitive data. Organizations using these Zyxel products should prioritize addressing this issue to maintain their security posture.

  • Identify all Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG series devices.
  • Isolate affected devices from external access.
  • Apply vendor updates and validate the fix.
  • Monitor for related network activity.

Frequently asked questions

What Zyxel devices are impacted by CVE-2023-28771?

CVE-2023-28771 impacts Zyxel ATP, USG FLEX, VPN, and ZyWALL/USG series devices with specific firmware versions. This includes ATP series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, VPN series firmware versions 4.60 through 5.35, and ZyWALL/USG series firmware versions 4.60 through 4.73.

What weakness does CVE-2023-28771 represent?

CVE-2023-28771 is classified as CWE-78, which is OS command injection. This weakness allows an attacker to execute arbitrary operating system commands on the affected device by sending specially crafted packets.

How can an attacker exploit this Zyxel vulnerability?

An unauthenticated attacker can exploit this by sending crafted packets to an affected Zyxel device. This vulnerability stems from improper error message handling, which can be manipulated to execute operating system commands remotely, potentially leading to device compromise.

What is the relevance of CVE-2023-28771 to network security?

This critical vulnerability allows unauthenticated remote command execution on Zyxel firewalls and VPN devices, posing a significant risk to network security. Its potential for widespread impact and exploitation makes it highly relevant for organizations to address proactively.

What actions should be taken to address this Zyxel vulnerability?

Organizations should identify all affected Zyxel devices, apply vendor-provided firmware updates, and monitor network activity for any suspicious behavior. Isolating affected devices from external access until updates are applied is also a recommended immediate measure.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified