Skip to content
feed: live
>_ 0dayNews
zyxel
Analysis

Zyxel CVE-2023-28771: EPSS 0.99 three years after the patch

Zyxel's 2023 firewall command-injection bug still ranks EPSS 0.99 three years post-patch. Scans stay constant; unpatched SMB perimeter boxes remain plentiful.

Zyxel CVE-2023-28771: EPSS 0.99 three years after the patch
Photo: User:Warko / Wikimedia Commons · Public domain
loop Loop · Published · 2 min read

CVE-2023-28771 is a pre-authentication OS command injection in Zyxel’s ZyWALL/USG, USG FLEX, ATP, and VPN-series firewalls. A crafted packet reaches an error-handling routine with attacker-controlled bytes, and the appliance executes them with root privilege. Zyxel patched the affected firmware branches on 25 April 2023.

As of the FIRST.org EPSS refresh on 2026-07-07, the bug still scores 0.99284 — the effective top of the scale. EPSS estimates the probability of exploitation in the next 30 days from observed telemetry. A 0.99 score does not mean “likely.” It means “measured, continuously, in the field.” Three years and one quarter after patch availability, the scanning against these appliances has not tapered.

Why the tail is this long

CISA added the CVE to the Known Exploited Vulnerabilities catalog in May 2023 after security researchers observed Mirai-variant botnets recruiting unpatched appliances within weeks of disclosure. That was foreseeable. A pre-auth root-level RCE against a class of device that faces the internet by definition, with tens of thousands of units deployed across SMB and branch-office environments, is exactly the profile automated scanners are built to consume.

The length of the tail is the less-foreseeable part. A ZyWALL USG40 or an ATP100 sits in a wiring closet. It works. Nobody logs into the admin plane except when something breaks. Firmware updates require an administrator who knows the appliance’s login, who has an operational window to apply an image, and who follows the vendor’s security advisories — three conditions that don’t overlap on most of the residual vulnerable population. End-of-life devices compound the problem: fixes shipped for supported firmware branches only, and a non-trivial share of the appliances still routing traffic today are outside the support window entirely.

The population that was going to patch, patched in 2023. The population that wasn’t, is still there in 2026, still on the internet, still being scanned. The EPSS score is measuring the second group.

What to actually do

If your organization owns any of the affected product lines — ZyWALL/USG, USG FLEX, ATP, or VPN-series — check the running firmware against the affected-version ranges in the NVD entry for CVE-2023-28771 and Zyxel’s original security advisory. If the device is behind the fixed version and has any inbound path from the WAN, do not merely patch: re-image. Because the flaw is pre-auth and root-level, there is no reliable way to distinguish a scanned appliance from a persisted one from the box’s own logs.

For appliances outside vendor support, replacement is the honest answer. A perimeter device that no longer receives firmware is not a firewall; it is a routable computer with an outbound network stack.

Full technical detail lives in the /cve/cve-2023-28771/ entry.

Related CVEs

Found this useful? Share it.