InfoSecBulletin Cybersecurity for mankind
GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel’s IKE affecting UDP port 500. The attack centers around CVE-2023-28771, a high-severity remote code execution vulnerability (CVSS 9.8) affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500.
Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation.
AMD discloses 4 new CPU flaws Affecting Many CPUs
GitLab patched XSS and Authorization Bypass Flaws
CVE-2025-7206
Critical D-Link DIR-825 Router Flaw Remote Crash Via Buffer Overflow
Urgently patch now: Zoom Patches 6 Flaws
Whatsapp rival ‘Bitchat’, message without internet
Splunk Addresses Third-Party Package Vulns in SOAR Versions
Texas-based Tax Credit Consultancy agency exposed PII, ID Numbers, & SSNs
CVE-2025-25257
Fortinet Addresses Major SQL Injection Flaw in FortiWeb
Microsoft July 2025 Patch Tuesday: One zero-day, 137 flaws
Android malware Anatsa infiltrates Google Play targeting banks worldwide
The top destination countries were the U.S., U.K., Spain, Germany, and India.
Analysis shows that in the two weeks before June 16, these IPs only targeted CVE-2023-28771 and were not involved in other scanning or exploit activities.
“On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation,” the company reported.
CVE-2023-28771 lets remote attackers send specific IKE packets to vulnerable Zyxel devices, allowing them to execute system commands without authentication. This gives attackers complete control over the firewall, enabling further attacks or botnet use.
Affected Zyxel product lines include:
ATP (Advanced Threat Protection) – ZLD V4.60 to V5.35
USG FLEX – ZLD V4.60 to V5.35
VPN series – ZLD V4.60 to V5.35
ZyWALL/USG – ZLD V4.60 to V4.73
Patches were released by Zyxel on April 25, 2023, but unpatched devices remain vulnerable.
GreyNoise’s threat intelligence noted that: “In the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.”
This suggests a deliberate and well-timed attack strategy, likely automated and synchronized.
All 244 IPs involved are registered to Verizon Business infrastructure and geolocated to the United States.
However, due to the use of UDP port 500, IP spoofing is possible, casting doubt on the apparent source.
GreyNoise identified patterns consistent with Mirai botnet variants, as also corroborated by VirusTotal analysis of the payloads. This aligns with previous cases where botnets preyed on edge devices through unpatched IoT and networking gear.
“Deeper analysis by GreyNoise identified indicators consistent with Mirai botnet variants,” the report confirms.
The exploitation traffic was not limited to a single region. The top targeted countries include:
United States
United Kingdom
Spain
Germany
India
These regions are home to many small-to-medium businesses and government agencies, often relying on Zyxel for perimeter security.
GreyNoise strongly recommend the following defensive actions:
Update immediately: Ensure all affected Zyxel devices are patched with the latest firmware.
Block the 244 IPs: While spoofing is possible, GreyNoise has flagged these IPs as malicious and advises proactive blocking.
Limit UDP port 500 exposure: Filter unnecessary inbound traffic where possible.
Monitor for anomalies: Check for post-exploitation indicators such as unusual process behavior, traffic patterns, or enrollment in botnets.1
