"Zyxel Customers Urged to Patch Exploited Bug"

Security researchers at Rapid7 are urging Zyxel networking device users to update their firewalls and VPNs after it was discovered that hackers are actively exploiting a vulnerability in the wild to enable remote code execution.  The Taiwanese vendor fixed CVE-2023-28771 on April 25, revealing that the flaw affects its ATP, USG Flex, VPN, and ZyWall/USG products, from versions ZLD V4.60 to V5.35.  In the case of the ZyWall/USG product, it impacts versions ZLD V4.60 to V4.73.  Zyxel warned that improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.  The researchers at Rapid7 noted that the bug is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is designed to be exposed to the internet.  The researchers stated that successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device.  The researchers warned that the CVE is being “widely exploited” to compromise devices and conscript them into a Mirai-based botnet, most likely for DDoS attacks.

Infosecurity reports: "Zyxel Customers Urged to Patch Exploited Bug"