CVE-2023-28771

Q: What is the severity of CVE-2023-28771?

CVE-2023-28771 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on affected Zyxel firewall devices by sending specially crafted IKE packets. It affects multiple Zyxel firewall product lines running vulnerable firmware versions. Attackers can potentially gain full control of affected devices without any authentication.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on affected Zyxel firewall devices by sending specially crafted IKE packets. It affects multiple Zyxel firewall product lines running vulnerable firmware versions. Attackers can potentially gain full control of affected devices without any authentication.

💻 Affected Systems

Products:

Zyxel ZyWALL series
Zyxel USG series
Zyxel VPN series
Zyxel USG FLEX series
Zyxel ATP series

Versions: Firmware versions 4.60 through 4.73 for ZyWALL/USG; versions 4.60 through 5.35 for VPN, USG FLEX, and ATP series

Operating Systems: Zyxel proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with vulnerable firmware versions are vulnerable by default. No special configuration required.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of firewall device leading to network infiltration, data exfiltration, lateral movement into internal networks, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to reconfigure firewall rules, intercept traffic, or use device as pivot point for further attacks.

🟢

If Mitigated

Limited impact if device is not internet-facing and network segmentation prevents lateral movement from compromised device.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and actively exploited in the wild. CISA has added this to their Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ZyWALL/USG: 4.73 Patch 1 or later; VPN/USG FLEX/ATP: 5.36 Patch 1 or later

Vendor Advisory: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls

Restart Required: Yes

Instructions:

1. Download latest firmware from Zyxel support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface or CLI. 4. Reboot device. 5. Verify firmware version after reboot.

🔧 Temporary Workarounds

Block IKE traffic at perimeter

all

Temporarily block UDP port 500 (IKE) and UDP port 4500 (IPsec NAT-T) at network perimeter to prevent exploitation attempts.

Restrict management access

all

Limit management interface access to trusted IP addresses only using firewall rules.

🧯 If You Can't Patch

Isolate affected devices in separate network segment with strict access controls
Implement network monitoring for suspicious IKE traffic patterns and command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify firmware version is at least: ZyWALL/USG: 4.73 Patch 1; VPN/USG FLEX/ATP: 5.36 Patch 1

📡 Detection & Monitoring

Log Indicators:

Unusual IKE negotiation failures
Unexpected process executions
Configuration changes without authorized user activity

Network Indicators:

Malformed IKE packets to UDP port 500/4500
Outbound connections from firewall to unexpected destinations

SIEM Query:

source_ip=firewall AND (event_type="process_execution" OR event_type="configuration_change") AND user="unauthenticated"

📊 Metadata

CVE ID: CVE-2023-28771

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: April 25, 2023

Last Updated: October 27, 2025

🔗 References

http://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls Vendor Advisory
http://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html Exploit,Third Party Advisory
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28771 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Atp100 Firmware by Zyxel

Atp100w Firmware by Zyxel

Atp200 Firmware by Zyxel

Atp500 Firmware by Zyxel

Atp700 Firmware by Zyxel

Atp800 Firmware by Zyxel

Usg Flex 100 Firmware by Zyxel

Usg Flex 100w Firmware by Zyxel

Usg Flex 200 Firmware by Zyxel

Usg Flex 50 Firmware by Zyxel

Usg Flex 500 Firmware by Zyxel

Usg Flex 50w Firmware by Zyxel

Usg Flex 700 Firmware by Zyxel

Vpn100 Firmware by Zyxel

Vpn1000 Firmware by Zyxel

Vpn300 Firmware by Zyxel

Vpn50 Firmware by Zyxel

Zywall Usg 100 Firmware by Zyxel