Pierluigi Paganini
July 22, 2023
Fortinet FortiGuard Labs researchers warned of multiple DDoS botnets exploiting a vulnerability impacting multiple Zyxel firewalls.
The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection issue that could potentially allow an unauthorized attacker to execute arbitrary code on vulnerable devices.
The cause of the vulnerability is the improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the vulnerability by sending specially crafted packets to an affected device.
Zyxel addressed the vulnerability in late April and advised customers to install the provided patches.
US CISA added the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.
In June, researchers from Rapid7 also confirmed that they are tracking reports of ongoing exploitation of CVE-2023-28771. The researchers warned that as of May 19, there were at least 42,000 instances of Zyxel devices on the public internet. Rapid7 noted that this number only includes devices that expose their web interfaces on the WAN, which is not a default setting.
“Since the vulnerability is in the VPN service, which is enabled by default on the WAN, we expect the actual number of exposed and vulnerable devices to be much higher.” reads the alert published by Rapid7. “As of May 26, the vulnerability is being widely exploited, and compromised Zyxel devices are being leveraged to conduct downstream attacks as part of a Mirai-based botnet. Mirai botnets are frequently used to conduct DDoS attacks.”
The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.
Researchers from Shadwserver also confirmed that the issue is under active exploitation to build a Mirai-based botnet.
Zyxel firewalls CVE-2023-28771 (pre-auth remote command OS injection) is being actively exploited to build a Mirai-like botnet. Internet-wide sweeps seen by over 700 of our IKEv2 aware honeypot sensors, since May 26th. Exploit PoC is public, so expect an increase in attacks. pic.twitter.com/5GSiLhCrAJ
— Shadowserver (@Shadowserver) May 27, 2023
Now Fortinet experts observed attacks occurring in multiple regions, including Central America, North America, East Asia, and South Asia.
“Since the publication of the exploit module, there has been a sustained surge in malicious activity. Analysis conducted by FortiGuard Labs has identified a significant increase in attack bursts starting from May.” reads the post published by Fortinet. “We also identified multiple botnets, including Dark.IoT, a variant based on Mirai, as well as another botnet that employs customized DDoS attack methods. In this article, we will provide a detailed explanation of the payload delivered through CVE-2023-28771 and associated botnets.”
The experts noticed that the attackers specifically target the command injection flaw in the Internet Key Exchange (IKE) packet transmitted over UDP on Zyxel devices. The attackers were spotted using tools such as curl or wget to download scripts for further malicious actions.
The script files employed in these attacks exclusively download files aimed at the MIPS architecture, a circumstance that suggests a highly specific target.
This campaign utilized multiple servers to launch attacks, Fortinet researchers reported that the malware updated itself within a few days to maximize the compromise of Zyxel devices
The researchers believe that multiple actors are actively exploiting the issue to build their own DDoS botnets. Another botnet that was spotted exploiting the flaw is known as Katana, which is advertised on a Telegram group called “SHINJI.APP | Katana botnet.” The threat actors behind the latter botnet announced that they have updated the botnet’s methods and performing maintenance tasks.
“Targeting vulnerable devices has always been a primary objective for threat actors, and the prevalence of remote code execution attacks poses a major concern for IoT devices and Linux servers. The presence of exposed vulnerabilities in devices can lead to significant risks. Once an attacker gains control over a vulnerable device, they can incorporate it into their botnet, enabling them to execute additional attacks, such as DDoS.” concludes the report. “To effectively address this threat, it is crucial to prioritize the application of patches and updates whenever possible.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zyxel)
Security / November 03, 2025
