Critical Vulnerability in Zyxel Firewalls exposes command execution
Take action: Although patching routers is a tedious process, this vulnerability will expose them to near automated attacks. Either close your routers behind other network defenses - usually not possible - or just patch them. A little effort now goes a long way later.
Learn More
Zyxel, has announced this week that it has released patches for a critical vulnerability affecting its ATP, USG FLEX, VPN, and ZyWALL/USG firewalls. The vulnerability, identified as CVE-2023-28771 and rated with a CVSS score of 9.8, allows remote execution of operating system commands. Zyxel explains in its advisory that the issue arises from improper error message handling in certain firewall versions, which can be exploited by sending specially crafted packets to a vulnerable device without authentication.
There is an active PoC of the exploit to CVE-2023-28771 which means that hackers will soon be able to attack ZyXel routers at scale and possibly automatically.
The affected firmware versions are 4.60 to 5.35 for ATP, USG FLEX, and VPN firewalls, as well as 4.60 to 4.73 for ZyWALL/USG firewalls. Zyxel has addressed this vulnerability with the release of ATP, USG FLEX, and VPN firmware versions 5.36, as well as ZyWALL/USG firmware version 4.73 Patch 1. Users are strongly advised to update their firewalls promptly. Although there have been no reported instances of exploitation in malicious attacks, unpatched Zyxel appliances are known to be targeted by malicious actors.
Additionally, the firmware updates for ATP, USG FLEX, and VPN firewalls also resolve another command injection flaw classified as high severity, known as CVE-2023-27991. This issue has also been addressed in the USG FLEX 50(W) / USG20(W)-VPN firewalls through the release of firmware version 5.36.
