Warning issued over ‘widespread’ exploitation of Zyxel NAS devices

Security researchers at two companies have issued warnings over ‘widespread’ exploitation of Zyxel network devices. 

Researchers at Rapid7 raised the alarm over the ongoing exploitation of a critical authenticated command injection vulnerability, tracked as CVE-2023-28771, that was found to affect multiple Zyxel devices. 

The flaw was present in the default confirmation of vulnerable devices, Rapid7 found, and exploitable via Zyxel’s Wide Area Network (WAN) interface. 

Zyxel researchers explained this is “intended to be exposed to the internet”, and that a VPN would not need to be configured on a targeted device for it to be at risk. 

Successful exploitation of the vulnerability would allow an attacker to remotely execute code on a target system by sending a “specially crafted IKEv2 packet” to UDP port 500 on the device, researchers said. 

Zyxel released an advisory for CVE-2023-28771 on 25 April. The US Cybersecurity and Infrastructure Agency (CISA) has since added the flaw to its known exploited vulnerabilities list and warned organizations to remain vigilant.  

Technical analysis from Rapid7 found that it was being “widely exploited and that compromised Zyxel devices were being leveraged to conduct downstream attacks as part of a Mirai-based botnet”.

“As of May 19, there were at least 42,000 instances of Zyxel devices on the public internet. However, this number only includes devices that expose their web interfaces on the WAN, which is not a default setting,” researchers noted. 

“Since the vulnerability is in the VPN service, which is enabled by default on the WAN, we expect the actual number of exposed and vulnerable devices to be much higher.”

Additional Zyxel vulnerabilities disclosed

Zyxel has also issued a patch for a security vulnerability affecting owners of its Linux-operated NAS326, NAS540, and NAS542 storage devices running the latest firmware.

These Zyxel NAS appliances allow for the storage of user data in a single location, including cloud data, photos, videos, or USB data, according to researchers at Sternum. 

In an advisory, the firm said researchers were “in the process of scanning one of the Zyxel NAS units” and uncovered the flaw when a “Dangerous String Format” alert was triggered.

“In this situation, there was a problem with a ntpdate_date process, which, as the name suggests, is responsible for periodically synchronizing the device’s internal clock via NTP pings,” researchers explained. 

“Knowing that it was passed as a string to ntpdate_date, Sternum researchers investigated further to see if it could be used to manipulate the device.”

Analysis revealed the flaw that could be used by an unauthenticated user to "execute an arbitrary system command with root privileges on the system”. 

This could be used for more malicious purposes, Sternum added, such as remote malware injection. 

Zyxel acknowledged the vulnerability and issued a patch and CVE notice on 30 May.