Intrusion PreventionZyxel.Firmware.error.message.Command.Injection
Description
This indicates an attack attempt to exploit an OS Command Injection vulnerability in multiple Zyxel firmwares.
The vulnerability is due to insufficient sanitizing of user supplied inputs in the application. A remote attacker may be able to exploit this to execute arbitrary commands within the context of the system.
Outbreak Alert
Multiple critical vulnerabilities affecting various Zyxel devices have been seen exploited in the wild. The attackers are observed deploying Mirai like botnet inducing denial of service conditions. One of the vulnerability, CVE-2023-28771 which allows unauthenticated attackers to execute OS commands remotely has a publicly available proof of concept (PoC).
Affected Products
Zyxel ZyWALL/USG ZLD version 4.60 to 4.73
Zyxel ATP ZLD version 4.60 to 5.35
Zyxel USG FLEX ZLD version 4.60 to 5.35
Zyxel VPN ZLD version 4.60 to 5.35
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| ID | 53203 |
| Created | Jun 05, 2023 |
| Updated | Nov 10, 2025 |
| CVE ID | |
| Tags | Zyxel Multiple Firewall Vulnerabilities Threat Signal |
| Risk |
|
| Known Exploited | Yes |
| Exploit Prediction Score | 94.35% |
| Default Action | drop |
| Active | |
| Affected OS | Other |
| Affected App | Other |
| Profile Type | OS Command Injection |