I’ve recently noticed my IPS picking up a new Suricata rule from the Emerging Threats ruleset: ET EXPLOIT Zyxel ZyWALL/USG OS Command Injection (CVE-2023-28771) (SID: 2063094). It started showing up in my logs almost immediately after it was added to the ruleset with details like:
Date: 07/04 22:43:21 Name: ET EXPLOIT Zyxel ZyWALL/USG OS Command Injection (CVE-2023-28771)
Priority: 1 Type: Web Application Attack
IP info: 167.57.138.19:53926 -> [red0_IP_address]:500
References: none found SID: 2063094
I don’t have any Zyxel equipment, so I’m not affected, but it’s interesting to see this rule, dated 20th June 2025, triggering now. It seems like it was added recently, possibly due to a spike in exploit attempts.
Has anyone else seen this rule popping up in their IPS logs recently?
Zyxel have their own Firewall OS and apparently they had a flaw in it on some of their systems that with a specially crafted IKEv2 packet it will allow unauthenticated remote code execution.
The interesting thing is that the flaw was found early in 2023 and Zyxel provided patches for the fix in April 2023 but here we are in 2025 and in June there was a peak of activity on this vulnerability. Apparently the attacks are thought to be linked to a Mirai botnet.
I found the following statement in an article on this current spurt in activity
As the vulnerability has been extensively targeted before, for someone to fall victim now, they would have had to obtain a vulnerable device, deploy it without updates, and expose it to the internet, even though it’s in a known vulnerable state
One would almost say that the chain of incompetence needed to be victimized at this point is borderline impressive, but of course, it can happen. This, however, is not the vulnerability we should all wake up and worry about today. In fact, if you were worried about it, you would have fixed it years ago.
I’ve been listening to a security podcast talking about a Cisco IOS vulnerability with a CVSS score of 9.8 that was getting exploited for years by Salt Typhoon after Cisco released a fix because they were deployed, but not maintained. It seems that network admins in many large corporations never update firewall firmware for some reason. Either overworked and no time, pressure of zero downtime, corporate culture, something! In one case, the CVE was from 2018, had been patched in 2018, but was still being exploited between December 2024 and January 2025.
edit: @ag BTW, yes, I’m seeing this rule being triggers as well in two firewalls I maintain.
I believe it is the fear of new bugs. At least they know the ones that they have.
Sometimes certification plays a role, too. When you have reached a certain certification, you might not be able to install any updates unless you want to lose said certification. They tend to make the internet a worse place.
There are also plenty of people who simply don’t know that they need to patch their printers…