Zyxel Firewall OS Command Injection
An OS command-injection vulnerability in multiple Zyxel firewall product lines allows an unauthenticated attacker to execute arbitrary commands by sending a crafted packet to the device. Exploited by Mirai-variant botnets shortly after disclosure.
- Vendor
- Zyxel
- Product
- ZyWALL/USG, USG FLEX, ATP, and VPN series firewalls
- CVSS
- 9.8
- Status
- kev
- Published
CVE-2023-28771 is an OS command-injection vulnerability affecting multiple Zyxel firewall product lines, including the ZyWALL/USG, USG FLEX, ATP, and VPN series. Improper error-message handling lets an unauthenticated, remote attacker execute arbitrary commands by sending a specially crafted packet to an affected device.
Zyxel patched the vulnerability in late April 2023. Within weeks, security researchers observed multiple Mirai-variant botnets — including ones tracked as “Mirai-derived” and “Dark.IoT” — actively scanning for and exploiting unpatched Zyxel firewalls to expand DDoS-for-hire botnets, prompting CISA to add the CVE to its KEV catalog.
Why it mattered
Consumer- and SMB-grade firewalls and VPN appliances like Zyxel’s are a perennial botnet target precisely because they’re numerous, often unmanaged, and rarely patched promptly by their owners. A pre-auth command-injection bug with no special preconditions is close to the easiest possible bar for mass, automated exploitation — exactly the profile that botnet operators look for.
Zyxel’s security advisory and the NVD record above list affected models, firmware versions, and patch availability.