A significant spike was observed in exploitation attempts targeting CVE-2023-28771, a critical remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders. 

The coordinated attack campaign, observed on June 16, 2025, represents a concentrated burst of malicious activity after weeks of minimal exploitation attempts, with threat actors leveraging UDP port 500 to compromise vulnerable network infrastructure devices

Zyxel RCE Flaw Under Active Exploitation

The exploitation campaign targeting CVE-2023-28771 demonstrated a sharp increase in malicious activity, with GreyNoise detecting 244 unique IP addresses attempting to exploit the vulnerability in a concentrated timeframe. 

The attack pattern shows a dramatic spike from near-zero activity to over 240 unique exploitation attempts within a single day, indicating a coordinated campaign rather than opportunistic scanning behavior.

Historical analysis reveals that these IP addresses exhibited no prior scanning or exploit behavior in the two weeks preceding June 16, suggesting a targeted operation specifically designed to exploit this Zyxel vulnerability. 

The primary target countries included the United States, the United Kingdom, Spain, Germany, and India, indicating a global scope of potential victims. 

The vulnerability exploits the Internet Key Exchange protocol implementation over UDP port 500, which is commonly used for IPsec VPN negotiations and is frequently exposed on enterprise network perimeters.

All 244 malicious IP addresses originated from Verizon Business infrastructure and were geolocated within the United States, though security researchers caution that the UDP-based nature of the exploit makes IP spoofing highly feasible. 

This infrastructure concentration suggests either compromised Verizon Business customer devices or the use of proxy services to mask the true origin of the attacks.

GreyNoise’s deeper technical analysis identified payload characteristics consistent with Mirai botnet variants, as confirmed through VirusTotal correlation. 

The Mirai attribution is particularly concerning given this botnet family’s history of enslaving IoT devices for distributed denial-of-service attacks and cryptocurrency mining operations. 

The CVE-2023-28771 vulnerability, originally published on April 25, 2023, affects the IKE packet decoder component and allows remote attackers to execute arbitrary code without authentication, making it an attractive target for botnet operators seeking to expand their compromised device networks.

Mitigations

Organizations must block all 244 identified malicious IP addresses while acknowledging that UDP spoofing capabilities may require broader defensive strategies. 

Network administrators should conduct urgent audits of internet-exposed Zyxel devices to ensure CVE-2023-28771 patches have been applied, as unpatched devices remain vulnerable to remote code execution attacks.

Post-exploitation monitoring becomes critical given the Mirai botnet attribution, as compromised devices may exhibit anomalous network behavior, including unusual outbound connections, bandwidth consumption, or participation in distributed attacks.

Network security teams should implement enhanced monitoring for IKE protocol traffic over UDP port 500, applying network filtering where operationally feasible to reduce unnecessary protocol exposure. 

The concentrated nature of this campaign suggests an ongoing threat actor interest in Zyxel infrastructure, necessitating continued vigilance and proactive security measures to prevent successful compromises.