A new Mirai malware variant is targeting a recently patched vulnerability in Zyxel firewall appliances to compromise the devices and ensnare them into the botnet.
Tracked as CVE-2023-28771, the bug is an OS command injection issue that allows remotely execute OS commands on the target device by sending specially crafted packets. The vulnerability affects the following products:
-
ATP (firmware version 4.60 to 5.35 inclusive)
-
USG FLEX (firmware version 4.60 to 5.35 inclusive)
-
VPN (firmware version 4.60 to 5.35 inclusive)
-
ZyWALL/USG (firmware version 4.60 to 4.73 inclusive)
Zyxel released a firmware update (version 5.36) back in March to address the security issue.
Earlier this month, cybersecurity firm Rapid7 warned that this bug could be used in real-world attacks, adding that there are nearly 42,000 instances of Zyxel web interfaces exposed to the public internet. Not surprisingly, just a few days later reports have begun emerging about mass exploitation of CVE-2023-28771 by the Mirai botnet, with many SMB appliances being impacted.
Last week, the Taiwan-based vendor fixed two more remote code execution (RCE) vulnerabilities affecting its firewalls - CVE-2023-33009 and CVE-2023-33010.
