CVE-2023-28771

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

Recent assessments:

ccondon-r7 at May 19, 2023 6:44pm UTC reported:

Per @sfewer-r7’s Rapid7 analysis:

> CVE-2023-28771 was introduced into the firmware from version 4.60, which was released on October 21, 2020, more than two and a half years ago. The vulnerable component is the Internet Key Exchange (IKE) packet decoder, which forms part of the IPSec VPN service offered by the device. Note: A VPN does not need to be configured on the device for the device to be vulnerable — an affected device is vulnerable in a default state. An attacker can send a specially crafted UDP packet to port 500 in the WAN interface and achieve unauthenticated command execution as the root user.

40K+ exposed web interfaces, which probably undersells exposure. Attackers tend to like these devices, and the vuln’s been hiding in the firmware for years now. Likely to be exploited at scale, possibly exploited under the radar already.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4