A critical vulnerability discovered in a number of Zyxel networking appliances is being abused in the wild, cybersecurity researchers are saying, urging users to apply a fix now.
A flaw tracked as CVE-2023-28771 was recently discovered affecting different devices belonging to multiple lineups: ATP, USG FLEX – ZLD, VPN – ZLD, and ZyWALL/USG – ZLD. The flaw was described as a critical severity command injection flaw that allows threat actors to install malware on the affected endpoints.
The devices need to be in default configuration mode for the attackers to be able to perform unauthenticated remote code execution via a specially designed IKEv2 packet.
Numerous devices affected
Zyxel released a patch for the flaw in late April this year, and the Cybersecurity and Infrastructure Security Agency (CISA) has now pushed a warning, urging federal agencies to patch their endpoints by June 21, as the flaw is being actively leveraged. BleepingComputer also reported that cybersecurity researchers from Rapid7 also confirmed threat actors abusing the flaw.
One of the groups actively engaged in targeting vulnerable Zyxel devices is Mirai, that’s been expanding its botnet since May 26.
Mirai is usually used for distributed denial of service (DDoS) attacks, but the infected devices can be used for different kinds of cyberattacks.
The news comes less than a week since Zyxel reported discovering two critical vulnerabilities in some of its networking gear. Both of these vulnerabilities are buffer overflows, allowing for denial-of-service (DoS) attacks, as well as remote code execution (RCE), and both were found in some of Zyxel’s firewall and VPN products, and carry a severity score of 9.8 (critical). They are being tracked as CVE-2023-33009, and CVE-2023-33010.
“Zyxel has released patches for firewalls affected by multiple buffer overflow vulnerabilities,” the company’s security advisory reads. “Users are advised to install them for optimal protection.”.