Finding Zyxel Network Devices
Last month, Zyxel disclosed a remote command execution vulnerability affecting a handful of their product families. This vulnerability has been assigned CVE-2023-28771, and with a CVSSv3 score of 9.8, this vulnerability is considered highly critical. Attackers who send a specially crafted packet to UDP port 500 on an affected Zyxel device could execute arbitrary commands or create a denial-of-service condition.
Along with this disclosure, Zyxel announced updated software to address this issue; information about the update is available here.
There are reports that this vulnerability is being actively exploited in the wild. In the device’s default configuration, the vulnerable port is often exposed to the public Internet.
Finding affected devices using runZero #
You can locate Zyxel devices with the exposed by visiting the Asset Inventory and using the following pre-built query:
hw:"Zyxel" and udp_port:500
The devices found by this query should be checked to make sure they are running a patched version of their firmware.
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Zyxel assets?
Get started
Rob King is a Principal Researcher at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.
Similar Content
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …
Read MoreSeptember 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreSeptember 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …
Read More