Critical Zyxel vulnerability under active exploitation after long period of quiet

Hackers are exploiting a critical vulnerability in Zyxel’s Internet Key Exchange packet decoder, GreyNoise researchers warned on Monday.

The vulnerability, tracked as CVE-2023-28771, powered a sudden wave of exploitation attempts Monday, with researchers observing 244 unique IP addresses involved in the activity.

All of the addresses were located in the U.S. and registered to Verizon Business, but researchers caution that because the vulnerability was located over UDP (Port 500), the attackers may have been spoofing those addresses.

Additional analysis suggests that the activity may be related to a variant of the Mirai botnet, researchers said.

“Mirai-linked payloads suggest the activity may be aimed at enrolling devices into botnets for automated attacks like DDoS or scanning,” GreyNoise researchers told Cybersecurity Dive via email.

The vulnerability, which involves an OS command injection flaw and affected multiple firewall models, has been patched since 2023. That year, Fortinet said multiple distributed denial-of-service (DDoS) botnets were trying to exploit the vulnerability.

GreyNoise researchers said Monday that the newly identified IP addresses were not involved in any other exploitation-related activity over the prior two weeks.

The company encouraged security teams to immediately block the IPs in question, patch any internet-exposed Zyxel devices and monitor them for post-exploitation activity.

The exploitation of vulnerabilities in legacy Zyxel devices has been a growing concern. In January, GreyNoise researchers warned of hackers targeting a vulnerability — tracked as CVE-2024-40891 — in Zyxel CPE devices. Similarly, researchers from VulnCheck warned in February that hackers were trying to exploit vulnerabilities in end-of-life Zyxel devices.