What is Zyxel ATP/USG FLEX?
Zyxel ATP (Advanced Threat Protection), USG FLEX, VPN, and ZyWALL/USG are network security gateway and firewall appliances widely deployed by small-to-medium businesses, enterprises, and government organizations for perimeter security, IPSec/SSL VPN connectivity, and intrusion prevention. These devices are internet-facing by design — their primary function is terminating VPN connections and providing secure remote access, meaning the vulnerable IKE service is typically exposed directly to the internet. Zyxel devices are frequently targeted by botnet operators who recruit compromised appliances as proxy nodes and by nation-state actors who use them as initial access vectors into protected networks.
Overview
CVE-2023-28771 is a pre-authentication OS command injection vulnerability in multiple Zyxel firewall product lines, arising from improper error message handling in the IKEv2 key exchange handler. An unauthenticated attacker can send a specially crafted IKE packet to the affected device that causes OS commands embedded in the packet to execute on the underlying Linux system. Zyxel patched it in April 2023; active exploitation by Mirai botnet variants was documented within weeks. CISA added it to KEV on May 31, 2023, and nation-state actors subsequently incorporated it into targeted intrusion campaigns.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| ATP Series | ZLD V4.32 to V5.35 | ZLD V5.35 Patch 1 |
| USG FLEX Series | ZLD V4.50 to V5.35 | ZLD V5.35 Patch 1 |
| VPN Series | ZLD V4.30 to V5.35 | ZLD V5.35 Patch 1 |
| ZyWALL/USG Series | ZLD V4.09 to V4.73 | ZLD V4.73 Patch 1 |
Technical Details
CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Zyxel's firewall firmware implements the IKEv2 (Internet Key Exchange version 2) protocol for IPSec VPN negotiation. The IKE handler processes error notification payloads from incoming IKE packets. A flaw in how the error handling code processes certain packet fields allows an attacker to inject OS command characters that are passed unsanitized to a shell executed on the underlying Linux operating system.
The attack requires only the ability to send a UDP packet to port 500 (IKE) or 4500 (NAT-T) on the Zyxel device — both of which are internet-accessible by default on VPN-enabled Zyxel appliances since they are required for VPN client connectivity. No credentials, authentication, or prior session state are required.
Successful exploitation provides OS command execution as a privileged user on the embedded Linux OS, enabling backdoor installation, credential theft from VPN configuration, and lateral movement into protected network segments.
Discovery
Reported by TRAPA Security researchers. Rapid7 subsequently published detailed technical analysis confirming the attack vector (IKEv2 error message handling) and demonstrating reliable exploitation.
Exploitation Context
CVE-2023-28771 was rapidly weaponized after Zyxel's April 2023 advisory. Threat intelligence documented active exploitation by:
- Mirai botnet variants: Scanning for and exploiting vulnerable Zyxel devices to recruit them into DDoS botnet infrastructure. The Mirai variants targeting CVE-2023-28771 were active within weeks of the patch.
- Nation-state actors: Volt Typhoon (China-nexus) and other sophisticated actors have used Zyxel VPN vulnerabilities as part of initial access campaigns targeting critical infrastructure — particularly transportation, energy, and government sectors. The IKE attack surface is especially attractive because it is always internet-accessible on VPN gateways.
The 36-day gap between advisory (April 25) and KEV addition (May 31) reflects the time it took for CISA to confirm exploitation in the wild after initial scanning/exploitation activity was detected.
Remediation
- Apply Zyxel firmware patches immediately — ZLD V5.35 Patch 1 or later for ATP/USG FLEX/VPN series; ZLD V4.73 Patch 1 or later for ZyWALL/USG series.
- If patching cannot be done immediately, disable IKEv2 VPN if not required — this removes the attack vector while patching is arranged.
- Review firewall logs for unexpected IKE traffic from external sources, particularly around and after April-June 2023.
- Check the device for signs of post-exploitation: new administrative accounts, modified VPN configurations, unexpected cron jobs, or unfamiliar binaries in the filesystem.
- Restrict management access to trusted networks — ensure the administrative web interface and SSH are not accessible from the internet.
- After patching, rotate VPN pre-shared keys and verify VPN user accounts for unauthorized additions.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-28771 |
| Vendor / Product | Zyxel — Multiple Firewalls |
| NVD Published | 2023-04-25 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2023-05-31 |
| CISA KEV Deadline | 2023-06-21 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-04-25 | Zyxel publishes advisory for CVE-2023-28771 and releases firmware patches for ATP, USG FLEX, VPN, and ZyWALL/USG series |
| 2023-05-19 | Rapid7 publishes technical analysis confirming pre-auth command injection via IKE error message handling |
| 2023-05-31 | CISA adds to Known Exploited Vulnerabilities catalog — Mirai botnet and other actors actively exploiting |
| 2023-06-21 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Zyxel Security Advisory — Remote Command Injection Vulnerability in Firewalls | Vendor Advisory |
| NVD — CVE-2023-28771 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |