CVE-2023-28771

CRITICAL KEV

Zyxel ATP/USG/ZyWALL/VPN Series Firmware 4.60-5.36 - Unauthenticated Remote Code Execution via IKE Packet Decoder

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-28771 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 31, 2023. EIP tracks 5 public exploits from researchers including benjaminhays, JinParkmida, sf, including a Metasploit module exploits/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771.

AI-analyzed exploit summary This repository contains a functional Python-based PoC for CVE-2023-28771, leveraging Scapy to craft malicious IKEv2 packets with command injection payloads. It supports both direct command execution and reverse shell establishment via crafted Notify payloads.

Description

Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.

Exploits (5)

nomisec WORKING POC 30 stars
by benjaminhays · poc
https://github.com/benjaminhays/CVE-2023-28771-PoC

This repository contains a functional Python-based PoC for CVE-2023-28771, leveraging Scapy to craft malicious IKEv2 packets with command injection payloads. It supports both direct command execution and reverse shell establishment via crafted Notify payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IKEv2 implementations (e.g., strongSwan, libstrongswan)
No auth needed
Prerequisites: Network access to target's UDP port 500 · Scapy library installed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec STUB
by JinParkmida · poc
https://github.com/JinParkmida/cve-2023-28771-demo

The repository contains only a React + TypeScript + Vite template with no exploit code or technical details related to CVE-2023-28771. It lacks any functional PoC, scanner, or writeup content.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/fed-speak/cve-2023-28771-poc

This repository contains a functional Python-based PoC exploit for CVE-2023-28771, leveraging Scapy to craft malicious IKEv2 packets with command injection payloads. It supports both direct command execution and reverse shell establishment via crafted Notify payloads.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IKEv2 implementations (e.g., strongSwan, libreswan)
No auth needed
Prerequisites: Network access to target's UDP port 500 · Scapy library installed
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/benhays142/cve-2023-28771-poc

This repository contains a functional exploit PoC for CVE-2023-28771, leveraging a crafted IKEv2 packet to achieve remote command execution (RCE) on vulnerable systems. The exploit uses Scapy to send a malformed IKEv2 packet with a command injection payload, supporting both direct command execution and reverse shell functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IKEv2 implementations (specific vendor/version not specified in PoC)
No auth needed
Prerequisites: Network access to target on UDP port 500 · Scapy Python library installed
devstral-2 · analyzed Feb 23, 2026 Full analysis →
metasploit WORKING POC GREAT
by sf · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/zyxel_ike_decoder_rce_cve_2023_28771.rb

This Metasploit module exploits CVE-2023-28771, an unauthenticated remote command injection vulnerability in Zyxel devices' IKE packet decoder over UDP port 500. It crafts a malicious IKE packet with a command injection payload to achieve root-level RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zyxel ATP, USG FLEX, VPN, ZyWALL/USG (Firmware versions 4.60 to 5.35/4.73)
No auth needed
Prerequisites: Network access to UDP port 500 on the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9435
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-05-31
VulnCheck KEV 2023-05-25
InTheWild.io 2023-05-31
ENISA EUVD EUVD-2023-32406
CWE
CWE-78
Status published
Products (21)
zyxel/atp100_firmware 4.60 - 5.36
zyxel/atp100w_firmware 4.60 - 5.35
zyxel/atp200_firmware 4.60 - 5.36
zyxel/atp500_firmware 4.60 - 5.36
zyxel/atp700_firmware 4.60 - 5.36
zyxel/atp800_firmware 4.60 - 5.36
zyxel/usg_flex_100_firmware 4.60 - 5.36
zyxel/usg_flex_100w_firmware 4.60 - 5.36
zyxel/usg_flex_200_firmware 4.60 - 5.36
zyxel/usg_flex_500_firmware 4.60 - 5.36
... and 11 more
Published Apr 25, 2023
KEV Added May 31, 2023
Tracked Since Feb 18, 2026