CVE-2023-28771

Published Apr 25, 2023

Last updated 6 months ago

Exploit knownCVSS critical 9.8
VPN

Overview

Description
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
Source
security@zyxel.com.tw
NVD status
Analyzed
Products
atp100_firmware, atp100w_firmware, atp200_firmware, atp500_firmware, atp700_firmware, atp800_firmware, usg_flex_100_firmware, usg_flex_100w_firmware, usg_flex_200_firmware, usg_flex_50_firmware, usg_flex_500_firmware, usg_flex_50w_firmware, usg_flex_700_firmware, vpn100_firmware, vpn1000_firmware, vpn300_firmware, vpn50_firmware, zywall_usg_310_firmware, zywall_usg_100_firmware

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Zyxel Multiple Firewalls OS Command Injection Vulnerability
Exploit added on
May 31, 2023
Exploit action due
Jun 21, 2023
Required action
Apply updates per vendor instructions.

Weaknesses

security@zyxel.com.tw
CWE-78
nvd@nist.gov
CWE-78

Social media

Hype score
Not currently trending

  1. GreyNoise researchers have observed exploit attempts targeting the remote code execution vulnerability CVE-2023-28771 in Zyxel devices. On June 16, GreyNoise researchers detected exploit attempts targeting CVE-2023-2877... https://t.co/qlK9ZGhO2d

    @pedri77

    27 Mar 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Zyxel 製品に対する標的型攻撃を検出:RCE 脆弱性 CVE-2023-28771 を悪用 https://t.co/kitBEIcl87 Zyxel 製品の RCE 脆弱性 CVE-2023-28771 を悪用する攻撃が検出されました。IKE ポートを通じた認証不要のコード実行という点と

    @iototsecnews

    30 Jun 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Zyxel device owners, heads up! Active exploits are targeting CVE-2023-28771. Patch your devices ASAP to avoid compromise! #Cybersecurity #InfoSec https://t.co/TjGHzn39Fe

    @xcybersecnews

    28 Jun 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Attackers target Zyxel RCE vulnerability CVE-2023-28771 https://t.co/OEmFp8xLjL #cybersecurity https://t.co/m6YCtqsSAD

    @cliffvazquez

    26 Jun 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. A serious security vulnerability, tracked as CVE-2023-28771, is affecting Zyxel networking devices. Security researchers at GreyNoise noticed a sudden sharp rise, and a concentrated effort by attackers to exploit this flaw on June 16th. https://t.co/ORwoSnPHsc

    @blackwired32799

    24 Jun 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Zyxel Devices Hit by Active Exploits Targeting CVE-2023-28771 Vulnerability https://t.co/ARv6FZsAP1 #infosec #security

    @NotTruppi

    23 Jun 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 📢พบการโจมตีช่องโหว่ RCE บนอุปกรณ์ Zyxel ที่ช่องโหว่ CVE-2023-28771 #NCSA #CybersecurityNew สามารถติดตามข่าวสารได้ที่ https://t.co/HCsLrrYz4c https://t.

    @ThaiCERTByNCSA

    19 Jun 2025

    6 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Zyxel CVE-2023-28771 vulnerability resurfaces with increased attack attempts, possibly by Mirai botnet, targeting devices once exploited in Denmark’s critical infrastructure. Stay vigilant! ⚠️ #CyberAttack #Denmark #IoT https://t.co/Ng98xjBsVr

    @TweetThreatNews

    17 Jun 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  2. strongSwan versions 4.5.0 prior to 6.0.5 contain an integer underflow vulnerability in the EAP-TTLS AVP parser that allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication. Attackers can exploit the failure to validate AVP length fields before subtraction to trigger excessive memory allocation or NULL pointer dereference, crashing the charon IKE daemon.CVE-2026-25075
  3. Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data VulnerabilityCVE-2026-20131
  4. A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of service (DoS) condition to new Remote Access SSL VPN connections. This does not affect the management interface, though it may become temporarily unresponsive. This vulnerability is due to trusting user input without validation. An attacker could exploit this vulnerability by sending crafted packets to the Remote Access SSL VPN server. A successful exploit could allow the attacker to cause the device web interface to stop responding, resulting in a DoS condition.CVE-2026-20103
  5. A vulnerability has been found in D-Link DWR-M960 1.01.07. This affects the function sub_4196C4 of the file /boafrm/formVpnConfigSetup of the component VPN Configuration Endpoint. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.CVE-2026-2961

References

Sources include official advisories and independent security research.