Zyxel

A significant spike was observed in exploitation attempts targeting CVE-2023-28771, a critical remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders. The coordinated attack campaign, observed on June 16, 2025, represents a concentrated burst of malicious activity after weeks of minimal exploitation attempts, with threat actors leveraging UDP port 500 to compromise vulnerable network infrastructure devices. GreyNoise detected 244 unique IP addresses attempting to exploit the vulnerability, indicating a coordinated campaign rather than opportunistic scanning behavior.

Source: https://cybersecuritynews.com/hackers-actively-exploiting-zyxel-rce-vulnerability/

TPRM report: https://scoringcyber.rankiteo.com/company/zyxel

"id": "zyx902061725",
"linkid": "zyxel",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "",
"explanation": "Attack threatening the organization's existence: Attack in which company data exposes"

{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Zyxel',
                        'type': 'Network Infrastructure'}],
 'attack_vector': 'UDP port 500',
 'date_detected': '2025-06-16',
 'description': 'A significant spike was observed in exploitation attempts '
                'targeting CVE-2023-28771, a critical remote code execution '
                'vulnerability affecting Zyxel Internet Key Exchange (IKE) '
                'packet decoders.',
 'impact': {'systems_affected': 'Internet-exposed Zyxel devices'},
 'initial_access_broker': {'entry_point': 'UDP port 500'},
 'lessons_learned': 'Continued vigilance and proactive security measures are '
                    'necessary to prevent successful compromises.',
 'motivation': 'Expanding compromised device networks for DDoS attacks and '
               'cryptocurrency mining',
 'post_incident_analysis': {'corrective_actions': 'Block malicious IP '
                                                  'addresses, conduct urgent '
                                                  'audits, apply patches, '
                                                  'implement enhanced '
                                                  'monitoring, apply network '
                                                  'filtering',
                            'root_causes': 'CVE-2023-28771 vulnerability in '
                                           'Zyxel IKE packet decoders'},
 'recommendations': 'Block malicious IP addresses, conduct urgent audits, '
                    'apply patches, implement enhanced monitoring, apply '
                    'network filtering',
 'references': [{'source': 'GreyNoise'}],
 'response': {'containment_measures': 'Block malicious IP addresses, conduct '
                                      'urgent audits of internet-exposed Zyxel '
                                      'devices, apply CVE-2023-28771 patches',
              'enhanced_monitoring': 'Enhanced monitoring for IKE protocol '
                                     'traffic over UDP port 500',
              'remediation_measures': 'Post-exploitation monitoring, implement '
                                      'enhanced monitoring for IKE protocol '
                                      'traffic over UDP port 500, apply '
                                      'network filtering'},
 'threat_actor': 'Mirai botnet variants',
 'title': 'Zyxel RCE Flaw (CVE-2023-28771) Under Active Exploitation',
 'type': 'Remote Code Execution',
 'vulnerability_exploited': 'CVE-2023-28771'}