Zyxel Firewall Devices Exploited In the Wild

After the critical advisory to patch ZyXel firewall and VPN devices, alarms are raised by security researchers that ZyXel devices are being exploited in the wild.

Interestingly, the exploited vulnerability is not emphasised in the advisory of ZyXel, although it was patched in the same release.

The widespread exploitation of Zyxel devices is done through a vulnerability tracked as CVE-2023-28771.

The flaw, which is present in the default configuration of impacted firewall and VPN devices, can be exploited to perform unauthenticated remote code execution using a specially crafted IKEv2 packet to UDP port 500 on the device.

It has been found to be widely exploited, with compromised Zyxel devices being used in Mirai-based botnets.

Recommended mitigation actions if updating is not possible

• Disable HTTP/HTTPS services from WAN (Wide Area Network), making the vulnerable endpoints unreachable by remote attackers.
• If management via WAN ia needed, add rules allowing only trusted IP addresses to access the devices.
• Enable GeoIP filtering is also recommended access based on trusted locations.
• Disable UDP Port 500 and Port 4500 if IPSec VPN isn't needed, shutting another avenue for attacks.

While the Mirai threat is typically limited to DDoS (distributed denial of service), other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations.

A quick check on Shodan revelas that there are at least 42,000 ZyXel devices exposed on the internet which fit the description of vulnerable devices.