CVE-2023-28771: Zyxel Firewall — Pre-Auth OS Command Injection

Background

Zyxel is back on the list. Less than a year after CVE-2022-30525 (another unauthenticated command injection in Zyxel firewalls), researchers found another critical flaw in the IKE (Internet Key Exchange) handling code. CVE-2023-28771 is arguably worse than the previous one — it doesn’t require the HTTP management interface to be exposed, just the IPsec/VPN port.

The IKE protocol is used to negotiate VPN tunnel parameters. Zyxel’s ATP and VPN series firewalls need to listen on UDP/500 and UDP/4500 to handle VPN connections. That means any organisation using these devices for site-to-site VPN or remote access VPN has this port exposed — there’s no way to “restrict the attack surface” without disabling VPN entirely.

Technical Mechanism

The vulnerability is in Zyxel’s IKE implementation. When the firewall processes an IKEv2 packet, it parses various fields from the packet header and payload. The error message logging routine that handles malformed packet processing passes user-controlled data from the packet directly to a system command without sanitisation.

Specifically, certain fields in the IKE notification payload are included in diagnostic log messages using a call similar to:

system(format_string(template, packet_field));

By crafting an IKEv2 packet with shell metacharacters in the appropriate field, an attacker can inject arbitrary OS commands. The IKE daemon runs as root on these devices, so code execution is immediately at the highest privilege level.

The exploit flow:

1. Send a crafted UDP packet to port 500 (or 4500) of the target
2. Packet contains shell injection payload in specific IKE notification fields
3. The IKE daemon parses the packet and executes the injected command as root
4. No authentication, no credentials, no prior access required

This is a pre-auth, pre-network root compromise. It’s about as bad as it gets for a perimeter device.

Real-World Exploitation Evidence

Following Zyxel’s April 2023 patch and the Rapid7 technical writeup in late April, the Mirai botnet ecosystem was quick to adopt this:

• Multiple Mirai variants — botnet operators integrated CVE-2023-28771 into their exploitation frameworks within days of public disclosure
• Moobot — a Mirai-derived botnet specifically targeting routers and firewalls; CVE-2023-28771 was added to its scanning arsenal
• CISA KEV listing — added rapidly given the ease of exploitation and broad exposure of Zyxel devices

Researchers at Censys and Shodan identified over 20,000 vulnerable Zyxel devices exposed to the internet at the time of disclosure. The real number is likely higher given that VPN ports are often not indexed accurately.

Impact Assessment

• Root code execution on the firewall device
• Complete firewall policy bypass — root access means attackers can modify firewall rules, exposing internal services
• VPN credential access — IPsec pre-shared keys and certificates are accessible from the device configuration
• Network traffic interception — modify routing or mirror traffic
• Botnet deployment — most observed exploitation is for DDoS botnet recruitment
• Persistent access — modified startup scripts or dropped SSH keys survive reboots
• Pivot to internal network — compromised firewall is the perfect pivot point

Affected Versions

Remediation Steps

1. Update firmware to ZLD 5.36 Patch 2 or ZLD 4.73 Patch 2 as appropriate
2. If immediate patching is not possible, and you don’t need incoming VPN from untrusted hosts, consider restricting who can establish IKE connections via Zyxel’s peer IP filtering
3. Check for signs of compromise — look for unexpected processes running on the device:

   show system process

4. Review configuration for unexpected changes — check firewall rules, routing tables, and user accounts
5. If compromise is suspected, do not rely on the device’s own logging — logs may have been cleared or the syslog configuration modified
6. Forward syslogs to an external SIEM before any potential compromise clears them
7. After patching, rotate all IPsec pre-shared keys and certificates

Detection Guidance

Network monitoring — this exploit comes in via UDP/500 or UDP/4500. Monitoring IKE traffic for malformed packets is difficult without IDS/IPS capable of deep packet inspection of IKEv2.

Device logs — look for unexpected error messages in the IKE log component, particularly around failed packet parsing, combined with unexpected outbound connections from the device.

Suricata signature (UDP IKE):

alert udp any any -> any 500 (msg:"Zyxel CVE-2023-28771 IKE Command Injection Attempt"; content:"|00 00 00 00 00 00 00 00|"; offset:0; depth:8; pcre:"/[\x60\x3b\x7c\x26\x24\x28\x29]/"; classtype:attempted-admin; sid:2034009; rev:1;)

Outbound connection monitoring — if your Zyxel device starts making TCP connections to external IPs that aren’t your configured VPN peers or update servers, it’s a red flag.

Timeline