A critical security vulnerability, labeled as CVE-2023-28771, is currently affecting numerous Zyxel networking devices, raising alarm among cybersecurity experts. Notably, researchers from GreyNoise reported a significant spike in attempted exploits of this vulnerability beginning June 16th. This flaw, which allows for remote code execution, enables attackers to run malicious programs on impacted devices remotely.
Historically, attempts to exploit this Zyxel flaw had been relatively low, but the situation changed drastically on June 16th, with GreyNoise documenting 244 distinct internet addresses attempting to exploit the issue within just one day. The attacks have primarily targeted devices located in countries including India, Spain, Germany, the United States, and the United Kingdom, highlighting the global reach of this cyber threat.
Upon investigation, it was found that all attacking addresses were registered under Verizon Business infrastructure in the United States. However, due to the nature of the attacks utilizing UDP port 500, researchers believe the actual source could be obscured by spoofing techniques. GreyNoise further indicated that these attacks may be connected to variants of the notorious Mirai botnet, known for compromising devices.
In light of these developments, cybersecurity experts are strongly advising immediate action. They recommend blocking the 244 identified malicious IP addresses and ensuring that internet-connected Zyxel devices are equipped with the necessary security updates for CVE-2023-28771. Device owners are advised to monitor for any unusual activity post exploit attempts and to limit exposure on IKE/UDP port 500 through network filters. The persistence of vulnerabilities within Zyxel devices has been noted, with past incidents suggesting a pattern of security challenges faced by the company.