Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2023-28771

Zyxel Firewall OS Command Injection

An OS command-injection vulnerability in multiple Zyxel firewall product lines allows an unauthenticated attacker to execute arbitrary commands by sending a crafted packet to the device. Exploited by Mirai-variant botnets shortly after disclosure.

cat cve-2023-28771.json
Vendor
Zyxel
Product
ZyWALL/USG, USG FLEX, ATP, and VPN series firewalls
CVSS
9.8
Status
kev
Published

CVE-2023-28771 is an OS command-injection vulnerability affecting multiple Zyxel firewall product lines, including the ZyWALL/USG, USG FLEX, ATP, and VPN series. Improper error-message handling lets an unauthenticated, remote attacker execute arbitrary commands by sending a specially crafted packet to an affected device.

Zyxel patched the vulnerability in late April 2023. Within weeks, security researchers observed multiple Mirai-variant botnets — including ones tracked as “Mirai-derived” and “Dark.IoT” — actively scanning for and exploiting unpatched Zyxel firewalls to expand DDoS-for-hire botnets, prompting CISA to add the CVE to its KEV catalog.

Why it mattered

Consumer- and SMB-grade firewalls and VPN appliances like Zyxel’s are a perennial botnet target precisely because they’re numerous, often unmanaged, and rarely patched promptly by their owners. A pre-auth command-injection bug with no special preconditions is close to the easiest possible bar for mass, automated exploitation — exactly the profile that botnet operators look for.

Zyxel’s security advisory and the NVD record above list affected models, firmware versions, and patch availability.