CVE-2023-28771 is an OS Command Injection vulnerability with a critical CVSS v3.1 score of 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C). This severity is due to its exploitability over the network, low attack complexity, and the lack of a requirement for authentication. The vulnerability has been actively exploited in real-world environments, which is why it was added to CISA’s Known Exploited Vulnerabilities catalog on May 31, 2023. Observed exploitation attempts, including a concentrated spike on June 16, 2023, involved 244 unique malicious IP addresses, with indicators consistent with variants of the Mirai botnet. Notably, this vulnerability was a critical vector in a large-scale cyberattack against Danish critical infrastructure, attributed to the Russian military intelligence agency GRU, which targeted 22 energy companies and their industrial control systems (ICS).
| Date | 2025-06-23 17:09:46 |
Technical Summary
The vulnerability stems from “improper error message handling” within Zyxel’s Internet Key Exchange (IKE) packet decoders. This flaw allows an unauthenticated attacker to achieve remote code execution (RCE) by sending specially crafted packets to the vulnerable device. The exploitation specifically targets the IKE packet decoder operating on UDP port 500. The pre-authentication nature and the ability to spoof IP addresses on UDP port 500 complicate attribution and expand the attack surface.
Affected Zyxel products and their vulnerable firmware versions include:
- ATP series: ZLD V4.60 to V5.35
- USG FLEX series: ZLD V4.60 to V5.35
- VPN series: ZLD V4.60 to V5.35
- ZyWALL/USG series: ZLD V4.60 to V4.73
Recommendations
Apply patches immediately: Update all affected Zyxel firewalls to the latest firmware versions that resolve this vulnerability.
For ATP, USG FLEX, and VPN series: update to ZLD V5.36.
For the ZyWALL/USG series: update to ZLD V4.73 Patch 1.
Limit exposure: Apply network filters to reduce unnecessary exposure of UDP port 500 on WAN interfaces, ensuring that only legitimate VPN access is exposed.
Restrict remote access to all network devices, particularly administrative interfaces, by enforcing strong authentication such as MFA and IP whitelisting.
Strengthen controls: Implement and enforce network segmentation for critical systems, particularly between IT and OT networks, to limit lateral movement in the event of a compromise.
Actively monitor for post-exploitation activity, such as unusual outbound connections or unauthorized processes, as successful exploitation can lead to botnet enrollment or further compromise.
Disable the use of devices declared end-of-life (EOL) in production environments or those exposed to the Internet if they cannot be updated.
[Callforaction-THREAT-Footer]
