GreyNoise Observes Exploit Attempts Targeting Zyxel CVE-2023-28771
On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. CVE: CVE-2023-28771 Exploit method: UDP port 500 (IKE packet decoder) Date observed: June 16, 2025 Duration of activity: One day (June 16, 2025) Unique IPs: 244 Top destination countries: U.S., U.K., Spain, Germany, India. IP classification: All malicious per GreyNoise Infrastructure: Verizon Business (all IPs geolocated to U.S.) Spoofable traffic: Yes (UDP-based) Observed Activity Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation. The top destination countries were the U.S., U.K., Spain, Germany, and India. Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.