Full Report
Zyxel users beware: A critical remote code execution flaw (CVE-2023-28771) in Zyxel devices is under active exploitation by a Mirai-like botnet. GreyNoise observed a surge on June 16, targeting devices globally.
Analysis Summary
# Vulnerability: Critical RCE in Zyxel Devices Facing Active Exploitation
## CVE Details
- CVE ID: CVE-2023-28771
- CVSS Score: Information on the precise CVSS score and severity rating (e.g., Critical, High) is *not explicitly provided* in the text, but context implies high severity due to RCE and active exploitation.
- CWE: Information not explicitly provided.
## Affected Systems
- Products: Zyxel Devices (Specific model names not listed in the provided excerpt).
- Versions: All versions vulnerable to CVE-2023-28771.
- Configurations: Any Zyxel device accessible to the threat actor.
## Vulnerability Description
The vulnerability is described as a critical **Remote Code Execution (RCE)** flaw present in Zyxel devices.
## Exploitation
- Status: **Actively exploited in the wild**. A Mirai-like botnet was observed aggressively targeting devices globally starting around June 16th.
- Complexity: Implied to be low, given the active, broad-scale exploitation observed by GreyNoise.
- Attack Vector: Remote exploitation is implied by the nature of active exploitation targeting devices globally.
## Impact
- Confidentiality: High (Implied by RCE).
- Integrity: High (Implied by RCE).
- Availability: High (Implied by successful exploitation by a botnet, likely leading to compromise or DDoS participation).
## Remediation
### Patches
- Patches are required, but specific version numbers associated with the fix are **not provided** in this summary text. Users must consult the official Zyxel advisory.
### Workarounds
- No specific workarounds are detailed in the provided text. Immediate action should focus on patching or network isolation.
## Detection
- Indicators of Compromise (IoCs): Surge in attack traffic targeting this vulnerability observed globally starting June 16th, potentially linked to a Mirai-like botnet activity.
- Detection methods and tools: GreyNoise observed the activity, suggesting network monitoring tools capable of identifying outbound/inbound traffic patterns associated with botnets can aid detection.
## References
- Vendor advisories: Users must search for the official Zyxel security advisory related to CVE-2023-28771.
- Relevant links - defanged:
- hXXps[:]//hackread[.]com/zyxel-devices-active-exploits-cve-2023-28771-vulnerability/ (Source article)