Cyber Resilience

CVE-2023-28771

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 25 April 2023

Published
25 April 2023
Modified
27 October 2025
KEV Added
31 May 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9435 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28771 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zyxel Zywall Usg 310 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2023-28771 is an improper error message handling flaw, tracked as CWE-78, that affects multiple Zyxel firewall product lines. Impacted devices include the ZyWALL/USG series running firmware 4.60 through 4.73, and the VPN, USG FLEX, and ATP series running firmware 4.60 through 5.35. The vulnerability permits unauthenticated remote code execution with a CVSS 3.1 score of 9.8.

An unauthenticated attacker can exploit the issue by sending specially crafted IKE packets to an exposed device, resulting in arbitrary OS command execution with full system privileges and no user interaction required.

Zyxel’s security advisory recommends immediate firmware upgrades to patched releases and, where upgrades are not feasible, applying the vendor-supplied workarounds. The flaw appears in CISA’s Known Exploited Vulnerabilities catalog, and its EPSS score has reached 0.9435, indicating active exploitation interest following disclosure.

EU & UK References

Vulnerability details

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an…

more

unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

CWE(s)
KEV Date Added
31 May 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
atp100 firmware
4.60 — 5.36
zyxel
atp100w firmware
4.60 — 5.35
zyxel
atp200 firmware
4.60 — 5.36
zyxel
atp500 firmware
4.60 — 5.36
zyxel
atp700 firmware
4.60 — 5.36
zyxel
atp800 firmware
4.60 — 5.36
zyxel
usg flex 100 firmware
4.60 — 5.36
zyxel
usg flex 100w firmware
4.60 — 5.36
zyxel
usg flex 200 firmware
4.60 — 5.36
zyxel
usg flex 50 firmware
4.60 — 5.36
+9 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (including crafted IKE packets) to block OS command injection before execution.

prevent

Explicitly addresses the root cause—improper error message handling that leaks information usable for remote command execution.

prevent

Mandates timely patching of the known command-injection flaw in the affected Zyxel firmware versions.

References