On June 16, GreyNoise observed exploit attempts targeting CVE-2023-28771 — a remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders over UDP port 500. 

BLOCK MALICIOUS IPS

Key Stats

  • CVE: CVE-2023-28771
  • Exploit method: UDP port 500 (IKE packet decoder) 
  • Date observed: June 16, 2025
  • Duration of activity: One day (June 16, 2025)
  • Unique IPs: 244
  • Top destination countries: U.S., U.K., Spain, Germany, India.
  • IP classification: All malicious per GreyNoise
  • Infrastructure: Verizon Business (all IPs geolocated to U.S.)
  • Spoofable traffic: Yes (UDP-based)

Observed Activity

Exploitation attempts against CVE-2023-28771 were minimal throughout recent weeks. On June 16, GreyNoise observed a concentrated burst of exploit attempts within a short time window, with 244 unique IPs observed attempting exploitation.

The top destination countries were the U.S., U.K., Spain, Germany, and India.

Historical analysis indicates that in the two weeks preceding June 16, these IPs were not observed engaging in any other scanning or exploit behavior — only targeting CVE-2023-28771.

IP Analysis 

All 244 IP addresses are registered to Verizon Business infrastructure and geolocated to the United States. However, because CVE-2023-28771 is exploited over UDP (port 500), spoofing is possible and these IPs may not reflect the true source of the traffic. 

Deeper analysis by GreyNoise identified indicators consistent with Mirai botnet variants, as confirmed by VirusTotal. Example payload, and IP metadata below: 

Recommendations

  • Block malicious IPs: While spoofing is possible, GreyNoise has classified all 244 IPs as malicious. Defenders should immediately block these IPs while monitoring for related activity. 
  • Review Zyxel device exposure: Verify that any internet-exposed Zyxel devices are patched for CVE-2023-28771. 
  • Monitor for post-exploitation activity: Exploit attempts may lead to botnet enlistment or additional compromise. Monitor affected devices for anomalies. 
  • Limit unnecessary IKE/UDP port 500 exposure: Apply network filtering where possible to reduce unnecessary exposure. 

BLOCK MALICIOUS IPS

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

— — —

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account