FISA

Rapid7 is tracking reports of ongoing exploitation of   CVE-2023-28771 , a critical unauthenticated command injection vulnerability affecting multiple Zyxel networking devices. The vulnerability is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is intended to be exposed to the internet. A VPN does not need to be configured on a device for it to be vulnerable. Successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device. Zyxel released an advisory  for CVE-2023-28771 on April 25, 2023. On May 19, Rapid7 researchers published a  technical analysis  of the vulnerability on AttackerKB, underscoring the likelihood of exploitation. As of May 19, there were at least  42,000 instances  of Zyxel devices on the public internet. However, as Rapid7 researchers  noted , this number only