Security

Zyxel published guidance for protecting devices from ongoing attacks

Zyxel has published guidance for protecting firewall and VPN devices from the ongoing attacks recently discovered.

Zyxel has published guidance for protecting firewall and VPN devices from ongoing attacks exploiting  CVE-2023-28771CVE-2023-33009, and CVE-2023-33010 vulnerabilities.

“Simultaneously, Zyxel has been urging users to install the patches through multiple channels, including issuing several security advisory newsletters to registered users and advisory subscribers; notifying users to upgrade via the Web GUI’s push notification for on-premises devices; and enforcing scheduled firmware upgrades for cloud-based devices that haven’t yet done so.” reads the guidance published by the vendor.

Threat actors are actively attempting to exploit the command injection vulnerability  CVE-2023-28771 impacting Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems. US CISA added the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.

In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices. The company promptly advised customers to install the provided patches in order to mitigate the vulnerability.

The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.

The other two issues, tracked as CVE-2023-33009 and CVE-2023-33010, are critical buffer overflow vulnerabilities. A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.

The company states that devices under attack become unresponsive and their Web GUI or SSH management interface are not reachable.

Symptoms of attacks include network interruptions and VPN connections disconnecting.

The following table includes products and firmware versions affected by these flaws and the latest firmware updates addressing the issues.

Affected seriesAffected versions for
CVE 2023 28771
Affected versions for
CVE 2023 33009/CVE 2023 33010
Latest firmware
ATPZLD V4.60 to V5.35ZLD V4.32 to V5.36 Patch 1ZLD V5.36 Patch 2
USG FLEXZLD V4.60 to V5.35ZLD V4.50 to V5.36 Patch 1ZLD V5.36 Patch 2
USG FLEX50(W) / USG20(W)-VPNN/AZLD V4.25 to V5.36 Patch 1ZLD V5.36 Patch 2
VPNZLD V4.60 to V5.35ZLD V4.30 to V5.36 Patch 1ZLD V5.36 Patch 2
ZyWALL/USGZLD V4.60 to V4.73ZLD V4.25 to V4.73 Patch 1ZLD V4.73 Patch 2

Zyxel also provides mitigation measures for these vulnerabilities such as disabling HTTP/HTTPS services from WAN (Wide Area Network).

If admins need to manage devices from the WAN side, enable Policy Control and add rules to only allow access from trusted source IP addresses. The guidance also recommends enabling GeoIP filtering to only allow access from trusted locations.

Zyxel also recommends disabling UDP Port 500 and Port 4500 if there is no requirement for the IPSec VPN function

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, firewall)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Pro-Russia collective NoName057(16) launched a new wave of DDoS attacks on Italian sites

Pro-Russia collective NoName057(16) launched DDoS attacks on Italian sites, targeting airports, the Transport Authority, major…

5 hours ago

whoAMI attack could allow remote code execution within AWS account<gwmw style="display:none;"></gwmw>

Researchers warn that the whoAMI attack lets attackers publish an AMI with a specific name…

6 hours ago

Storm-2372 used the device code phishing technique since August 2024

Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login…

1 day ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 33

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 511 by Pierluigi Paganini – INTERNATIONAL EDITION<gwmw style="display:none;"></gwmw>

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago

U.S. CISA adds Apple iOS and iPadOS and Mitel SIP Phones flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple iOS and iPadOS and Mitel SIP…

2 days ago

This website uses cookies.