ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Zyxel Networks Exploit Attempt - CVE-2023-28771

Risk Factors

Vulnerable Zyxel products are often accessible from the internet. An attacker can easily exploit this vulnerability with a single malicious packet to install malware and gain control of devices.

Kill Chain

Exploitation

Risk Score

87

Detection diagram
Next in Exploitation: AD Credential Theft with ntdsutil

Attack Background

Zyxel Networks creates firewall products that include a vulnerability in the Internet Key Exchange (IKEv2) and Internet Security Association and Key Management Protocol (ISAKMP) protocol decoder. This vulnerability improperly handles error messages to enable command injection. To exploit this vulnerability, an attacker creates a specially-designed UDP packet with a malicious command that is injected into the Notification Data field of an IKEv2/ISAKMP error: NO_PROPOSAL_CHOSEN. The attacker sends the packet to the IKEv2/ISAKMP port (500) on the victim. After the victim processes the packet, the malicious command runs on the server with root privileges.

Mitigation Options

Apply relevant patches

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right