On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500.
CVE: CVE-2023-28771
Exploit method: UDP port 500 (IKE packet decoder)
Date observed: June 16, 2025
Duration of activity: One day (June 16, 2025)
Unique IPs: 244
Top destination countries: U.S., U.K., Spain, Germany, India.
IP classification: All malicious per GreyNoise
Infrastructure: Verizon Business (all IPs geolocated to U.S.)
Spoofable traffic: Yes (UDP-based)
Observed Activity
Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation.
The top destination countries were the U.S., U.K., Spain, Germany, and India.
Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.
Today was an eventful day thanks to many interesting blog posts, e.g. from my friends at watchTowr. So I thought, why not publish a small quick-and-dirty blog post myself about a story from last week? This blog post may not be of the usual quality, but it was a good time to write it.
The hackers compromised home routers made by Zyxel to gain entry into a “major” telecommunications company's environment.
The Taiwanese hardware maker says it has no plans patch the flaws impacting legacy router models
VulnCheck and partner GreyNoise discovered Zyxel-related vulnerabilities being targeted in the wild. In this blog, VulnCheck describes the vulnerabilities CVE-2024-40891 and CVE-2025-0890.
A recently disclosed critical-severity vulnerability in discontinued Zyxel NAS devices is already exploited in botnet attacks, the Shadowserver Foundation warns.
Tracked as CVE-2024-29973, the issue is described as a code injection flaw that can be exploited remotely without authentication. It was introduced last year, when Zyxel patched CVE-2023-27992, a similar code injection bug.
“While patching this vulnerability, they added a new endpoint which uses the same approach as the old ones, and while doing so, implemented the same mistakes as its predecessors,” explains Outpost24 security researcher Timothy Hjort, who discovered and reported the security defect.
Summary Chaining of three vulnerabilities allows unauthenticated attackers to execute arbitrary command with root privileges on Zyxel VPN firewall (VPN50, VPN100, VPN300, VPN500, VPN1000). Due to recent attack surface changes in Zyxel, the chain described below broke and become unusable – we have decided to disclose this even though it is no longer exploitable. Credit … SSD Advisory – Zyxel VPN Series Pre-auth Remote Command Execution Read More »
FortiGuard Labs unmasks IZ1H9 and explores the aggressive exploits in the Mirai-Based DDoS Campaign
Flaw makes it possible to install web shell to maintain control of affected devices.
