Zyxel Firewalls Under Attack! Urgent Patching Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday placed two recently disclosed flaws in Zyxel firewalls to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities, tracked as CVE-2023-33009 and CVE-2023-33010, are buffer overflow vulnerabilities that could enable an unauthenticated attacker to cause a denial-of-service (DoS) condition and remote code execution.

Patches to plug the security holes were released by Zyxel on May 24, 2023. The following list of devices are affected –

• ATP (versions ZLD V4.32 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX (versions ZLD V4.50 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• USG FLEX50(W) / USG20(W)-VPN (versions ZLD V4.25 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2)
• VPN (versions ZLD V4.30 to V5.36 Patch 1, patched in ZLD V5.36 Patch 2), and
• ZyWALL/USG (versions ZLD V4.25 to V4.73 Patch 1, patched in ZLD V4.73 Patch 2)

While the exact nature of the attacks is unknown, the development comes days after another flaw in Zyxel firewalls (CVE-2023-28771) has come under active exploitation to ensnare susceptible devices into a Mirai botnet.

Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by June 26, 2023, to secure their networks against possible threats.

Zyxel, in a new guidance issued last week, is also urging customers to disable HTTP/HTTPS services from WAN unless “absolutely” required and disable UDP ports 500 and 4500 if not in use.

The development also comes as the Taiwanese company released fixes for two flaws in GS1900 series switches (CVE-2022-45853) and 4G LTE and 5G NR outdoor routers (CVE-2023-27989) that could result in privilege escalation and denial-of-service (DoS).