Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2023-28771

Published: 25/04/2023 Updated: 09/06/2023
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0

Vulnerability Summary

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 up to and including 4.73, VPN series firmware versions 4.60 up to and including 5.35, USG FLEX series firmware versions 4.60 up to and including 5.35, and ATP series firmware versions 4.60 up to and including 5.35, which could allow an unauthenticated malicious user to execute some OS commands remotely by sending crafted packets to an affected device.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zyxel atp100 firmware

zyxel atp100w firmware

zyxel atp200 firmware

zyxel atp500 firmware

zyxel atp700 firmware

zyxel atp800 firmware

zyxel usg flex 100 firmware

zyxel usg flex 100w firmware

zyxel usg flex 200 firmware

zyxel usg flex 50 firmware

zyxel usg flex 500 firmware

zyxel usg flex 50w firmware

zyxel usg flex 700 firmware

zyxel vpn100 firmware

zyxel vpn1000 firmware

zyxel vpn300 firmware

zyxel vpn50 firmware

zyxel zywall usg 310 firmware

zyxel zywall usg 310 firmware 4.73

zyxel zywall usg 100 firmware

zyxel zywall usg 100 firmware 4.73

Vendor Advisories

Check Point Security Alerts: Zyxel ZyWALL Command Injection (CVE-2023-28771)
Check Point Reference: CPAI-2023-0356 Date Published: 6 Jun 2023 Severity: Critical ...

Exploits

Exploit DB: Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution
This Metasploit module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices The affected devices are as follows: ATP (Firmware version 460 to 535 inclusive), USG FLEX (Firmware version 460 to 535 inclusive), VPN (Firmw ...
Exploit DB: Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution
This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices The affected devices are as follows: ATP (Firmware version 460 to 535 inclusive), USG FLEX (Firmware version 460 to 535 inclusive), ...

Metasploit Modules

Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution

This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The affected devices are vulnerable in a default configuration and command execution is with root privileges.

msf > use exploit/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771
msf exploit(zyxel_ike_decoder_rce_cve_2023_28771) > show targets
    ...targets...
msf exploit(zyxel_ike_decoder_rce_cve_2023_28771) > set TARGET < target-id >
msf exploit(zyxel_ike_decoder_rce_cve_2023_28771) > show options
    ...show and set options...
msf exploit(zyxel_ike_decoder_rce_cve_2023_28771) > exploit

Github Repositories

https://github.com/BenHays142/CVE-2023-28771-PoC

PoC for CVE-2023-28771 based on Rapid7's excellent writeup

CVE-2023-28771-PoC PoC for CVE-2023-28771 based on Rapid7's excellent writeup Requires the scapy Python library for sending IKE packets usage: CVE-2023-28771-pocpy [-h] [--cmd CMD] [--lhost LHOST] [--lport LPORT] rhost positional arguments: rhost options: -h, --help show this help message and exit --cmd CMD --lhost LHOST --lport LPORT

Recent Articles

Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Zyxel zero days and nation-state actors (maybe) had a hand in the sector’s worst cybersecurity event on record

Danish critical infrastructure faced the biggest online attack in the country's history in May, according to SektorCERT, Denmark's specialist organization for the cybersecurity of critical kit. Detailing the attack waves in a report, it revealed that 22 companies were breached in just a few days with some were forced to enter island mode operation, where they had to disconnect from the internet. In almost all cases unpatched vulnerabilities in Zyxel firewalls meant compromise was possible, and i...

Read more...

References

CWE-78https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewallshttp://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.htmlhttps://nvd.nist.govhttps://github.com/BenHays142/CVE-2023-28771-PoChttps://www.theregister.co.uk/2023/11/13/inside_denmarks_hell_week_as/https://advisories.checkpoint.com/defense/advisories/public/2023/cpai-2023-0356.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-5841file uploadman-in-the-middlearbitrary CVE-2024-27801CVE-2024-28020CVE-2024-30080CVE-2024-30069CVE-2024-5843
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook