Critical Zyxel Vulnerability CVE-2023-28771 Under Active Exploitation: GreyNoise Report

TL;DR

GreyNoise researchers have identified a surge in exploit attempts targeting the critical Zyxel vulnerability CVE-2023-28771. This vulnerability affects Zyxel IKE decoders over UDP port 500 and has a CVSS score of 9.8. The main targets include the U.S., U.K., Spain, Germany, and India. Mitigation strategies include blocking malicious IPs, patching affected devices, and monitoring for post-exploitation activity.

Critical Zyxel Vulnerability CVE-2023-28771 Under Active Exploitation: GreyNoise Report

On June 16, GreyNoise researchers detected a significant surge in exploit attempts targeting the critical vulnerability CVE-2023-28771 in Zyxel devices. This remote code execution (RCE) flaw, which has a CVSS score of 9.8, affects Zyxel IKE decoders over UDP port 500. The exploitation attempts were concentrated, with 244 unique IPs observed attempting to exploit the vulnerability within a short timeframe¹.

Targeted Regions and Attack Patterns

The primary targets of these exploit attempts were devices located in the U.S., U.K., Spain, Germany, and India. Interestingly, the attacking IPs showed no other suspicious activity in the two weeks prior to June 16, focusing solely on this specific vulnerability¹.

Attack Attribution and IP Spoofing

All 244 IP addresses linked to the exploit attempts appear to originate from Verizon Business in the U.S. However, since the attack uses UDP (port 500), there is a possibility that the IP addresses could be spoofed. GreyNoise has attributed these attempts to variants of the Mirai botnet, which was later confirmed by VirusTotal¹.

Mitigation Strategies

GreyNoise has provided several mitigation strategies to defend against these exploit attempts:

• Block Malicious IPs: Although spoofing is possible, GreyNoise has classified all 244 IPs as malicious. Defenders should immediately block these IPs and monitor for related activity.
• Review Zyxel Device Exposure: Ensure that any internet-exposed Zyxel devices are patched for CVE-2023-28771.
• Monitor for Post-Exploitation Activity: Exploit attempts may lead to botnet enlistment or additional compromise. Monitor affected devices for any anomalies.
• Limit Unnecessary IKE/UDP Port 500 Exposure: Apply network filtering where possible to reduce unnecessary exposure¹.

Vulnerability Background and Patch Information

In April 2023, Zyxel addressed the critical vulnerability CVE-2023-28771 in its firewall devices. The company advised customers to install the provided patches to mitigate the vulnerability. At the time, threat actors were actively attempting to exploit this command injection vulnerability to deploy and install malware on affected systems. By the end of May 2025, the U.S. CISA added the vulnerability to its Known Exploited Vulnerability Catalog based on evidence of active exploitation².

Conclusion

The active exploitation of CVE-2023-28771 underscores the importance of timely patching and vigilant monitoring of network devices. Organizations should prioritize implementing the mitigation strategies recommended by GreyNoise to protect against potential botnet enlistment and further compromise.

For more details, visit the full article: source

Additional Resources

For further insights, check:

• GreyNoise Blog
• Zyxel Security Advisory
• CISA Known Exploited Vulnerabilities Catalog

References

1. GreyNoise (June 16, 2025). “Exploit attempts targeting Zyxel CVE-2023-28771”. GreyNoise Blog. Retrieved June 17, 2025. ↩︎ ↩︎² ↩︎³ ↩︎⁴

2. CISA (May 31, 2025). “CISA Adds One Known Exploited Vulnerability to Catalog”. CISA Alerts. Retrieved June 17, 2025. ↩︎