Researchers tell owners to “assume compromise” of unpatched Zyxel firewalls
Firewalls made by Zyxel are being wrangled into a destructive botnet, which is taking control of them by exploiting a recently patched vulnerability with a severity rating of 9.8 out of a possible 10. “At this stage if you have a vulnerable device exposed, assume compromise,” officials from Shadowserver, an organization that monitors Internet threats in real time, warned four days ago. The officials said the exploits are coming from a botnet that’s similar to Mirai, which harnesses the collective bandwidth of thousands of compromised Internet devices to knock sites offline with distributed denial-of-service attacks. According to data from Shadowserver collected over the past 10 days, 25 of the top 62 Internet-connected devices waging “downstream attacks”—meaning attempting to hack other Internet-connected devices—were made by Zyxel as measured by IP addresses. The software bug used to compromise the Zyxel devices is tracked as CVE-2023-28771, an unauthenticated command-injection vulnerability with a severity rating of 9.8. The flaw, which Zyxel patched on April 25, can be exploited to execute malicious code with a specially crafted IKEv2 packet to UDP port 500 on the device. The critical vulnerability exists in default configurations of the manufacturer’s firewall and VPN devices. On Wednesday, the Cybersecurity and Infrastructure Security Agency placed CVE-2023-28771 on its list of known exploited vulnerabilities. The agency has given federal agencies until June 21 to fix any vulnerable devices in their networks. With infections from CVE-2023-28771 still occurring five weeks after Zyxel fixed it, it’s clear many device owners aren’t installing security updates in a timely manner. If the poor patching hygiene carries over to the more recently fixed vulnerabilities, there likely will be more Zyxel compromises occurring soon.