On June 16, 2025, GreyNoise detected a coordinated surge of exploit attempts targeting CVE-2023-28771, a critical remote code execution (RCE) vulnerability in Zyxel firewalls.
The activity involved 244 unique IP addresses targeting UDP port 500, with infrastructure linked to Verizon Business and patterns consistent with Mirai-based botnets.
This marks the first large-scale exploitation wave since the vulnerability was disclosed in April 2023.
Exploit Surge Details
Concentrated Attack Wave
- Timing: Exploit attempts spiked on June 16, 2025, after minimal activity in preceding weeks.
- IP Analysis: All 244 IPs were geolocated to the U.S. and registered to Verizon Business, though UDP spoofing complicates attribution.
- Targets: Top destination countries included the U.S., U.K., Spain, Germany, and India.
Botnet Linkages
- Payload Patterns: GreyNoise identified payload signatures matching Mirai variants, known for enslaving devices into distributed denial-of-service (DDoS) botnets.
- Post-Exploitation Risks: Compromised devices could enable lateral movement, data exfiltration, or participation in DDoS campaigns.
Technical Analysis of CVE-2023-28771
Vulnerability Overview
- CVSS Score: 9.8 (Critical).
- Mechanism: Improper error handling in Zyxel’s IKEv2 packet decoder allows unauthenticated attackers to inject OS commands via crafted UDP/500 packets.
- Affected Devices: Product LineVulnerable FirmwarePatch VersionATP SeriesZLD V4.60–V5.35ZLD V5.36USG FLEX SeriesZLD V4.60–V5.35ZLD V5.36ZyWALL/USG SeriesZLD V4.60–V4.73ZLD V4.73 Patch
Exploit Methodology
- Attackers send malicious IKEv2 packets to UDP/500, bypassing authentication to execute commands as the
rootuser. - Default configurations are vulnerable, requiring no VPN setup or administrative privileges.
Mitigation Strategies
Immediate Actions
- Patch Devices: Upgrade to ZLD V5.36 (ATP/USG FLEX/VPN) or ZLD V4.73 Patch 1 (ZyWALL/USG).
- Block Malicious IPs: GreyNoise recommends blocking the 244 flagged IPs despite spoofing risks.
- Restrict UDP/500 Exposure: Apply network ACLs to limit inbound traffic to trusted sources
Monitoring and Recovery
- Detect Anomalies: Search for unusual processes, unexpected outbound connections, or sudden traffic spikes.
- Incident Response: Isolate compromised devices, audit logs for IKEv2 anomalies, and perform forensic analysis.
Risk Factor Table
| Metric | Details |
|---|---|
| CVE ID | CVE-2023-28771 |
| CVSS v3.0 Score | 9.8 (Critical) |
| Affected Products | Zyxel ATP, USG FLEX, VPN, ZyWALL/USG |
| Exploit Availability | Public exploits (Metasploit) |
| Active Exploitation | Yes (Mirai botnet activity confirmed) |
This incident underscores the persistent threat posed by unpatched network infrastructure.
Organizations using Zyxel devices must prioritize remediation to avoid becoming entry points for large-scale cyberattacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The activity involved 244 unique IP addresses targeting UDP port 500, with infrastructure linked to Verizon Business and patterns consistent with Mirai-based botnets.){kind=link}