Hackers Exploiting Zyxel RCE Vulnerability Through UDP Port

A critical remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders.

GreyNoise Intelligence has observed a concentrated burst of exploitation attempts targeting CVE-2023-28771.

The security firm detected 244 unique IP addresses attempting to exploit the vulnerability over UDP port 500 on June 16, 2025, marking a significant escalation in attack activity against the previously quiet vulnerability.

The exploitation attempts represent a dramatic shift in threat actor behavior, as historical analysis reveals these IP addresses had remained dormant for the two weeks preceding June 16.

During this period, the attacking infrastructure showed no signs of scanning or other malicious activity, suggesting a coordinated campaign specifically targeting CVE-2023-28771.

The attack concentrated on five primary target countries: the United States, United Kingdom, Spain, Germany, and India.

This geographic distribution indicates a broad-scope campaign rather than targeted regional attacks.

The vulnerability allows attackers to execute arbitrary code remotely through malformed IKE packets sent to UDP port 500, potentially compromising affected Zyxel devices completely.

GreyNoise’s threat intelligence indicates that exploitation attempts against CVE-2023-28771 had been minimal in recent weeks, making the sudden surge particularly noteworthy.

The concentrated timeframe of the attacks suggests either a coordinated botnet operation or the release of public exploit code that enabled widespread exploitation attempts.

Zyxel RCE Vulnerability

All 244 attacking IP addresses trace back to Verizon Business infrastructure and appear geolocated within the United States.

However, security researchers warn that the UDP-based nature of the attacks makes IP spoofing highly feasible, meaning the true geographic origin of the attacks remains uncertain.

GreyNoise’s deeper analysis uncovered indicators consistent with Mirai botnet variants, a finding corroborated by VirusTotal detections.

The Mirai connection suggests that successful exploitation attempts may result in compromised Zyxel devices being recruited into the botnet infrastructure, expanding the attackers’ capabilities for future campaigns.

The use of UDP port 500 for exploitation presents additional challenges for defenders, as the protocol’s connectionless nature makes it easier for attackers to spoof source addresses and evade detection.

This technical characteristic also complicates attribution efforts and may allow attackers to conduct attacks while obscuring their true infrastructure.

Security Implications

Despite the possibility of IP spoofing, GreyNoise has classified all 244 IP addresses as malicious and recommends immediate blocking by network defenders.

According to Report, Organizations should prioritize reviewing their exposure to ensure any internet-facing Zyxel devices are properly patched against CVE-2023-28771.

Security teams should also implement enhanced monitoring for post-exploitation activity, as successful attacks may lead to botnet enrollment or serve as initial access for more sophisticated attack chains.

The concentrated nature of the campaign suggests attackers may be building infrastructure for larger operations.

Network administrators should consider implementing filtering to limit unnecessary exposure of IKE services on UDP port 500, particularly for devices that don’t require internet-accessible VPN functionality.

The emergence of this exploitation campaign underscores the continued threat posed by unpatched network infrastructure devices and the importance of maintaining current security patches across all internet-facing systems.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.