Zyxel vulnerability under 'widespread exploitation'

A critical Zyxel vulnerability is being widely exploited by threat actors targeting the vendor's network devices, researchers said.

Trapa Security researchers initially discovered the OS command injection vulnerability, tracked as CVE-2023-28771. Zyxel published an advisory on April 25 disclosing the vulnerability with patches available for each of the company's affected devices, including its firewall, VPN and advanced threat protection products.

The advisory was followed by Rapid7's full technical analysis of the bug on May 19. "CVE-2023-28771 is not known to be exploited in the wild as of May 19, 2023, though we expect this to change," Rapid7 wrote in its analysis.

Rapid7 researchers announced on May 31 that the change had occurred -- threat actors are now using the unauthenticated command injection vulnerability to conduct remote code execution in what the company described as "widespread exploitation."

"As of May 26, the vulnerability is being widely exploited, and compromised Zyxel devices are being leveraged to conduct downstream attacks as part of a Mirai-based botnet," Rapid7 President and COO Andrew Burton wrote in a blog post Wednesday. "Successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device."

Burton referenced research from the Shadowserver Foundation, a nonprofit cybersecurity organization that reported exploitation activity from a Mirai-like botnet starting on May 26. The Mirai botnet was used in 2016 to launch extremely powerful DDoS attacks through compromised IoT devices. At its height, the Mirai botnet had more than 650,000 compromised devices, according to the FBI.

According to Rapid7, attackers can leverage the vulnerability to target the WAN interface in many Zyxel devices. Burton said at least 42,000 Zyxel devices are on the public internet, though he noted that number could be even higher because it only includes devices that exposed their interfaces on the WAN, which is not the default setting.

"Since the vulnerability is in the VPN service, which is enabled by default on the WAN, we expect the actual number of exposed and vulnerable devices to be much higher," he wrote.

Shadowserver said on Twitter this weekend that it observed a large increase in compromised Zyxel devices performing DDoS attacks. "At this stage if you have a vulnerable device exposed, assume compromise," it advised.

Alexis Zacharakos is a student studying journalism and criminal justice at Northeastern University in Boston.