Zyxel Devices Under Attack as Hackers Exploit UDP Port RCE Flaw

Zyxel Devices Under Attack as Hackers Exploit UDP Port RCE Flaw

A sudden and highly coordinated wave of cyberattacks has struck Zyxel firewall and VPN devices worldwide, as hackers exploit a critical remote code execution (RCE) vulnerability tracked as CVE-2023-28771.

The attacks, observed on June 16, 2025, leveraged UDP port 500—the Internet Key Exchange (IKE) packet decoder—to remotely inject system commands and potentially seize full control of unpatched Zyxel devices.

Attribute Details
CVE ID CVE-2023-28771
Vulnerability Type OS Command Injection (Remote Code Execution)
Severity (CVSS v3.1) 9.8 (Critical)

GreyNoise, reported a concentrated burst of exploit attempts within a short time window on June 16.

– Advertisement –

The 244 unique IPs involved had not been seen in any prior scanning or exploit activity in the preceding two weeks, indicating a deliberate, synchronized campaign focused solely on exploiting this Zyxel flaw.

attack traffic
attack traffic

The attack traffic was not limited to a single region; instead, it targeted organizations in the U.S., U.K., Spain, Germany, and India—countries with a significant presence of Zyxel devices in businesses and government agencies.

Technical Analysis

CVE-2023-28771 is a critical command injection vulnerability (CVSS 9.8) affecting several Zyxel product lines, including ATP (Advanced Threat Protection), USG FLEX, VPN series, and ZyWALL/USG, across firmware versions ZLD V4.60 to V5.35 (or V4.73 for ZyWALL/USG). 

Attackers can exploit the flaw by sending a single, specially crafted IKE packet to UDP port 500, triggering unauthenticated remote code execution.

Deeper analysis of payloads
Deeper analysis of payloads

Deeper analysis of payloads and IP metadata revealed indicators consistent with Mirai botnet variants, suggesting that compromised devices could be conscripted into large-scale botnets for further attacks or distributed denial-of-service (DDoS) campaigns.

malicious IPs
malicious IPs

All observed malicious IPs are registered to Verizon Business and geolocated in the U.S.; however, due to the UDP-based nature of the attack, IP spoofing is feasible.

This raises doubts about the true origin of the threat actors and complicates attribution efforts.

Defensive Recommendations

  • Patch Immediately: Ensure all Zyxel devices are updated with the latest firmware to address CVE-2023-28771.
  • Block Malicious IPs: Despite spoofing risks, block the 244 IPs identified by GreyNoise and monitor for related activity.
  • Restrict UDP Port 500 Exposure: Limit unnecessary exposure of IKE/UDP port 500 through network filtering.
  • Monitor for Anomalies: Watch for signs of post-exploitation, such as unusual process behavior or botnet enrollment.
  • Review Device Exposure: Confirm that no unnecessary services are exposed to the internet and disable WAN management where possible.

This incident underscores the urgency of timely patch management and vigilant network monitoring for organizations relying on Zyxel devices.

With attackers increasingly automating exploits and leveraging botnets, unpatched devices remain prime targets for rapid compromise and enlistment in global attack campaigns.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates


Source link