Citing evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed a critical security flaw in recently patched Zyxel gear in its Known Exploited Vulnerabilities (KEV) catalog. Added.
This issue, tracked as CVE-2023-28771 (CVSS score: 9.8), is related to a command injection flaw affecting various firewall models that allows an unauthenticated attacker to inject specially crafted packets into can be sent to the device to execute arbitrary code.
Zyxel has addressed the security flaw as part of an update released on April 25th, 2023. Here is the list of affected devices:
- ATP (versions ZLD V4.60 – V5.35, patched in ZLD V5.36)
- USG FLEX (versions ZLD V4.60 – V5.35, patched in ZLD V5.36)
- VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and
- ZyWALL/USG (versions ZLD V4.60 – V4.73, patched with ZLD V4.73 Patch 1)
At Shadowserver Foundation, recent tweetssaid that the flaw has been “actively exploited to build Mirai-like botnets” since May 26, 2023. Cybersecurity firm Rapid7 also warned of “widespread” field exploitation of CVE-2023-28771.
Given this deployment, it is imperative that users apply patches quickly to mitigate potential risks. US federal agencies have until June 21, 2023 to update devices.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The disclosure coincided with Palo Alto Networks Unit 42 detailing a new attack launched by an active Mirai botnet variant called IZ1H9 since early April 2023.
The intrusion was found to take advantage of multiple remote code execution flaws in Internet-facing IoT devices, such as Zyxel, to lock the devices into the network to orchestrate distributed denial of service (DDoS) attacks. I’m here.
It is worth noting that Mirai has generated numerous clones since its source code was leaked in October 2016.
“IoT devices have always been a lucrative target for threat actors, and remote code execution attacks continue to be the most common and most concerning threats affecting IoT devices and Linux servers,” Unit 42 said.
“While the vulnerabilities exploited by this threat are less complex, they are still capable of remote code execution, so the impact is not mitigated.”
