CVE-2023-33009

CVE-2023-33009 is a critical vulnerability identified in Zyxel devices, specifically their line of Firewall and VPN products. It was discovered as part of a sophisticated attack that compromised 22 Danish energy firms, exploiting this flaw along with another zero-day vulnerability, CVE-2023-33010, and a previously known vulnerability, CVE-2023-28771. These vulnerabilities allowed for unauthenticated remote code execution (RCE), providing the attackers with extensive control over the compromised systems. The campaign against the Danish energy firms consisted of two waves, with the second wave believed to have exploited the newly discovered vulnerabilities CVE-2023-33009 and CVE-2023-33010. SektorCERT researchers found that these vulnerabilities were disclosed and patched by Zyxel shortly after their exploitation, on May 24. The use of new tools and tactics in conjunction with these zero-day flaws indicates a high level of sophistication and preparation on the part of the attackers. In response to the discovery and exploitation of these vulnerabilities, Zyxel has released a security advisory and patches to address the issues. They have provided mitigation strategies and updates for their customers to prevent further compromise of their devices. Despite these efforts, the successful exploitation of CVE-2023-33009 and CVE-2023-33010 underscores the ongoing challenges faced by cybersecurity teams in protecting against advanced persistent threats.