CVE-2023-28771
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- March 23, 2023
- Published Date
- April 25, 2023
- Last Updated
- February 03, 2025
- Vendor
- Zyxel
- Product
- ZyWALL/USG series firmware, VPN series firmware, USG FLEX series firmware, ATP series firmware
- Description
- Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
- Exploitation
- active
- Automatable
- Yes
- Technical Impact
- total
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2023-05-31 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771.rb | 2025-04-29 11:01:18 UTC |
Potential Proof of Concepts
Warning: These PoCs have not been tested and could contain malware. Use at your own risk.
zyxel_ike_decoder_rce_cve_2023_28771
Type: metasploit • Created: Unknown
Metasploit module for CVE-2023-28771
benjaminhays/CVE-2023-28771-PoC
Type: github • Created: 2023-05-23 02:37:39 UTC • Stars: 28
PoC for CVE-2023-28771 based on Rapid7's excellent writeup