There is an active warning for Zyxel networking device users to update their firewalls and VPNs after reports that hackers are actively exploiting a vulnerability in the wild to enable remote code execution.
Zyxel, recently fixed CVE-2023-28771 in April 2023, revealing that the flaw affects its ATP, USG Flex, VPN and ZyWall/USG products, from versions ZLD V4.60 to V5.35. In the case of the ZyWall/USG product it impacts versions ZLD V4.60 to V4.73.
Researchers from Rapid7 says the bug is present in the default configuration of vulnerable devices and is exploitable in the WAN interface, which is designed to be exposed to the internet.
Successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device.
The CVE is being widely exploited to compromise devices and conscript them into a Mirai-based botnet, most likely for DDoS attacks.
The US CISA added the CVE to its Known Exploited Vulnerabilities Catalog and give timeline to fix as June 21, 2023, for federal agencies.