Zyxel Multiple Firewall Vulnerabilities
Actively exploited and causing denial of service
Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC). Learn More »
Common Vulnerabilities and Exposures
Background
Zyxel Networks is a communications equipment company with over 100 million devices globally and serving 1 million customers according to their website. The recent discovered vulnerabilities has been seen exploited in the wild and reportedly exploited by Mirai based botnet variant to cause DDoS. As reported by FortiGuard Outbreak Alerts on December 2022, the Zyxel USG FLEX was previously targetted by the Zerobot malware due to its OS command injection vulnerability (CVE-2022-30525). According to a Shodan search there are 40,000+ Zyxel devices exposed to internet and the number of vulnerable devices could be much more as the default setting of some of the devices are not internet exposed.
Threat Radar Overall Score: 4.2
CVSS Rating | 9.0 | |
FortiRecon Score | 92/100 | |
Known Exploited | Yes | |
Exploit Prediction Score | 92.16% | |
FortiGuard Telemetry | 15344 |
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
April 25, 2023: Initial release of advisory from vendor on CVE-2023-28771, CVE-2023-33009, CVE-2023-33010
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls
May 31, 2023: CISA added CVE-2023-28771 to its Known Exploited Vulnerability catalog (KEV).
June 5, 2023: CISA added CVE-2023-33009 and CVE-2023-33010 to its Known Exploited Vulnerability catalog (KEV).
June 5, 2023: Mirai based botnet remain active, lately affecting multiple IoT devices. Go to Addtional resources to review the Outbreaks and vulnerabilties related/affected by Mirai based Botnet.
June 5, 2023: FortiGuard added Threat Signal on Zyxel Multiple Firewall Vulnerabilities
https://www.fortiguard.com/threat-signal-report/5179/
July 19, 2023: FortiGuard Labs released a detailed analyis blog article on DDoS botnets targeting Zyxel Vulnerability.
https://www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771
FortiGuard Labs has released an IPS signature to detect any attack attempts to exploit CVE-2023-28771 and further investigating protections for CVE-2023-33009 and CVE-2023-33010. Antivirus signatures to detect and block known malware related to exploitation of vulnerable Zyxel devices.
It is strongly recommended to update ATP, USG Flex, VPN, and ZyWALL/USG firewalls to prevent exploitation of recent vulnerabilities as per vendor advisory to fully mitigate the risk and look for DoS "Denial of Service" like symptoms that could arise if compromised.
https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance-for-the-recent-attacks-on-the-zywall-devices
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
Lure
-
Decoy VM
-
AV
-
AV (Pre-filter)
-
IPS
-
IOC
-
Outbreak Detection
-
Threat Hunting
-
Content Update
-
Assisted Response Services
-
Automated Response
-
InfoSec Services
-
Attack Surface Monitoring (Inside & Outside)
Lure Detects attack attempts related to Zyxel Multiple Firewall Vulnerabilities and prevents lateral movement on the network segment
Decoy VM Detects attack attempts related to Zyxel Multiple Firewall Vulnerabilities and prevents lateral movement on the network segment
AV Detects and blocks Marai based botnet related to Zyxel vulnerabilities
AV (Pre-filter) Detects and blocks Marai based botnet related to Zyxel vulnerabilities
IPS Detects and blocks OS Command Injection vulnerability (CVE-2023-28771)
Outbreak Detection
Threat Hunting
Content Update
Assisted Response Services Experts to assist you with analysis, containment and response activities.
Automated Response Services that can automaticlly respond to this outbreak.
InfoSec Services Security readiness and awareness training for SOC teams, InfoSec and general employees.
Attack Surface Monitoring (Inside & Outside) Security reconnaissance and penetration testing services, covering both internal & external attack vectors, including those introduced internally via software supply chain.
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
Indicators of compromise
IOC Indicator List
Indicators of compromise
IOC Threat Activity
Last 30 days
Chg
Avg 0
Mitre Matrix
Click here for the ATT&CK Matrix
References
Sources of information in support and relation to this Outbreak and vendor.