Vulnerability Alert! Two New Exploited Flaws Discovered on Zyxel Firewalls - #CVE-2023-33009
2023-06-07 _CISA has added two Zyxel Firewall flaws, CVE-2023-33009 and CVE-2023-33010, to its Known Exploited Vulnerabilities catalog. These critical vulnerabilities, rated 9.8 out of 10 on the CVSS scoring system, could lead to denial-of-service (DoS) conditions and remote code execution (RCE) attacks. In response, Zyxel released patches on May 24th, 2023, and urged clients to apply them as soon as possible._ _The affected firewall series include ATP, USG FLEX, USG FLEX50(W) / USG20(W)-VPN, VPN, and ZyWALL/USG. Users are advised to install the patches immediately to protect their networks. Both CVE-2023-33009 and CVE-2023-33010 are buffer overflow vulnerabilities that can be exploited by unauthenticated malicious actors to cause DoS conditions and RCE._ _This news follows the recent discovery of another vulnerability, CVE-2023-28771, which was actively exploited by threat actors to enlist victim machines into a Mirai botnet. Federal Civilian Executive Branch (FCEB) agencies have been instructed to remediate these flaws by June 26, 2023._ _To further safeguard against these vulnerabilities, Zyxel issued an alert advising customers to disable unnecessary HTTP/HTTPS services from WAN and disable UDP ports 500 and 4500 if IPSec VPN is not required. Security specialists also emphasize the importance of immediate patching to protect networks from potential attacks. --Darien Kindlund_ [View Article](https://thehackernews.com/2023/06/zyxel-firewalls-under-attack-urgent.html) 2023-06-01 _Zyxel firewalls are being hijacked by a destructive botnet, which is exploiting a recently patched vulnerability with a severity rating of 9.8 out of 10. Shadowserver, an organization that monitors internet threats in real-time, has warned that if you have a vulnerable device exposed, you should assume it has been compromised. The botnet is similar to Mirai, which uses the bandwidth of thousands of compromised devices to launch distributed denial-of-service attacks._ _The software bug compromising Zyxel devices is known as CVE-2023-28771, an unauthenticated command-injection vulnerability with a severity rating of 9.8. Zyxel patched this flaw on April 25, but it can still be exploited to execute malicious code with a specially crafted IKEv2 packet to UDP port 500 on the device. This critical vulnerability exists in default configurations of Zyxel's firewall and VPN devices, including ZyWALL/USG series, VPN series, USG FLEX series, and ATP series firmware versions._ _The Cybersecurity and Infrastructure Security Agency has placed CVE-2023-28771 on its list of known exploited vulnerabilities and has given federal agencies until June 21 to fix any vulnerable devices in their networks. Security researcher Kevin Beaumont has also warned of widespread exploitation of the vulnerability._ _Shodan search engine measurements show almost 43,000 instances of Zyxel devices exposed to the internet. Rapid7 estimates that the actual number of exposed and vulnerable devices is much higher since the vulnerability is in the VPN service, which is enabled by default on the WAN. Zyxel devices have long been a favorite for hacking because they reside at the edge of a network, where defenses are typically lower._ _In addition to CVE-2023-28771, Rapid7 has warned of two other vulnerabilities—CVE-2023-33009 and CVE-2023-33010—that Zyxel patched last week. Both vulnerabilities also carry a 9.8 severity rating. Many device owners are not installing security updates in a timely manner, which could lead to more Zyxel compromises occurring soon if poor patching hygiene continues. --Darien Kindlund_ [View Article](https://ciso2ciso.com/active-mirai-botnet-variant-exploiting-zyxel-devices-for-ddos-attacks-sourcethehackernews-com/) 2023-05-31 _Hackers are actively exploiting a critical command injection flaw in Zyxel networking devices, identified as CVE-2023-28771, to install malware. The vulnerability is present in the default configuration of affected firewall and VPN devices and can be exploited for unauthenticated remote code execution using a specially crafted IKEv2 packet. Zyxel released patches for the vulnerability on April 25, 2023, urging users to apply them to resolve the issue._ _The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that CVE-2023-28771 is being actively exploited by attackers and urging federal agencies to apply the available update by June 21, 2023. Rapid7 has also confirmed the active exploitation of the flaw. One of the activity clusters exploiting CVE-2023-28771 is a Mirai-based botnet malware that began launching attacks on May 26, 2023. Other threat groups might engage in lower-scale and less-noticeable exploitation to launch more potent attacks against organizations._ _Zyxel has recently fixed two other critical severity flaws, CVE-2023-33009 and CVE-2023-33010, which impact the same firewall and VPN products. These flaws could allow unauthenticated attackers to impose denial of service on vulnerable devices or execute arbitrary code. System administrators should apply the available security updates as soon as possible to mitigate emerging exploitation risks, as the more recent flaws are likely to attract malicious actors' attention. --Darien Kindlund_ [View Article](https://securityboulevard.com/2023/05/critical-vulnerability-in-zyxel-network-appliances-exploited-poc-scripts-circulating/) 2023-05-26 _Zyxel has recently issued software updates to tackle two critical security vulnerabilities affecting certain firewall and VPN products. These flaws, identified as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities with a severity rating of 9.8 out of 10 on the CVSS scoring system. If exploited, remote attackers could achieve code execution._ _CVE-2023-33009 involves a buffer overflow vulnerability in the notification function, which could allow an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution. Similarly, CVE-2023-33010 is a buffer overflow vulnerability in the ID processing function, potentially enabling an unauthenticated attacker to cause a DoS condition and remote code execution._ _The affected devices include ATP, USG FLEX, USG FLEX50(W) / USG20(W)-VPN, VPN, and ZyWALL/USG with specific version ranges. Zyxel has released patches for these devices to address the vulnerabilities._ _Security researchers from TRAPA Security and STAR Labs SG discovered and reported these flaws. This update follows Zyxel's recent fix for another critical security vulnerability in its firewall devices, CVE-2023-28771, which has been actively exploited by threat actors associated with the Mirai botnet. --Darien Kindlund_ [View Article](https://securityboulevard.com/2023/05/critical-vulnerability-in-zyxel-network-appliances-exploited-poc-scripts-circulating/)