What happened to Zyxel devices on June 16, 2025?

A coordinated wave of cyberattacks struck Zyxel firewall and VPN devices globally on June 16, 2025. Cybercriminals exploited CVE-2023-28771, a command injection flaw that allows unauthenticated attackers to execute arbitrary system commands remotely.

How do attackers exploit CVE-2023-28771?

Attackers can exploit this vulnerability by sending a single, specially crafted IKE packet to UDP port 500 on vulnerable devices. This triggers unauthenticated remote code execution without requiring any authentication or user interaction from the attacker.

How many attackers were involved in the coordinated campaign?

GreyNoise security researchers observed 244 unique IP addresses that launched coordinated attacks against vulnerable Zyxel devices globally on June 16, 2025. These IP addresses had not engaged in any other scanning or exploit behavior during the two weeks preceding the attack.

What makes this attack campaign unique?

The 244 malicious IP addresses involved in the campaign focused exclusively on exploiting CVE-2023-28771 and had not engaged in any other scanning or exploit behavior during the two weeks preceding the attack, indicating a highly targeted and coordinated effort.

Which Zyxel products are affected by CVE-2023-28771?

The affected products include ATP series (ZLD V4.60 to V5.35), USG FLEX series (ZLD V4.60 to V5.35), VPN series (ZLD V4.60 to V5.35), and ZyWALL/USG series (ZLD V4.60 to V4.73). All these products have patches available.

Are patches available for the affected Zyxel devices?

Yes, patches are available for all affected products. ATP, USG FLEX, and VPN series are patched in ZLD V5.36, while ZyWALL/USG series are patched in ZLD V4.73 Patch 1. Zyxel urges users to install patches immediately.

What should organizations do if they cannot immediately patch?

For organizations unable to immediately apply patches, Zyxel recommends implementing network filtering to restrict unnecessary exposure of IKE and UDP port 500 services as a temporary protective measure.

Why is this vulnerability particularly dangerous?

CVE-2023-28771 is particularly dangerous because it allows unauthenticated remote code execution with a critical CVSS score of 9.8. Attackers need only send a single crafted packet to UDP port 500, requiring no authentication or user interaction, making it extremely easy to exploit.

What does the coordinated nature of these attacks suggest?

The coordinated nature of the attacks, involving 244 IP addresses that exclusively targeted this specific vulnerability without engaging in other malicious activities, suggests a well-organized threat actor campaign specifically designed to exploit unpatched Zyxel devices on a global scale.

Attack

Coordinated cyberattacks target two years old Zyxel firewall flaw

Q: What is CVE-2023-28771?

CVE-2023-28771 is a critical command injection vulnerability with a CVSS score of 9.8 affecting Zyxel firewall and VPN devices. The vulnerability stems from improper error message handling in Zyxel's Internet Key Exchange (IKE) packet decoder, which processes VPN connection requests over UDP port 500.

Q: Which countries were targeted in the Zyxel attacks?

The coordinated attacks targeted devices in the United States, United Kingdom, Spain, Germany, and India, indicating a global scope of the campaign.

Q: When was CVE-2023-28771 originally disclosed?

Zyxel originally disclosed this vulnerability and released security patches on April 25, 2023, providing organizations with over two years to implement protective measures before this recent coordinated attack campaign.

published: June 17, 2025

Take action: If you still haven't patched your ZyXel firewall, and it's exposed on UDP port 500 to the internet, time to act NOW! Isolate the UDP port 500 from the internet, and start patching your firewalls. And check for any indicators of compromise, if possible even do a factory reset and load a trusted configuration.

Learn More

A coordinated wave of cyberattacks struck Zyxel firewall and VPN devices was detected globally on June 16, 2025.

Hackers are exploiting CVE-2023-28771 (CVSS score 9.8) - a command injection flaw that allows unauthenticated attackers to execute arbitrary system commands remotely.

The vulnerability stems from improper error message handling in Zyxel's Internet Key Exchange (IKE) packet decoder, which processes VPN connection requests over UDP port 500.

Attackers can exploit this vulnerability by sending a single, specially crafted IKE packet to UDP port 500 on vulnerable devices, triggering unauthenticated remote code execution without requiring any authentication or user interaction.

GreyNoise security researchers observed a concentrated burst of exploitation attempts on June 16, 2025, involving 244 unique IP addresses that launched coordinated attacks against vulnerable Zyxel devices globally.

The 244 malicious IP addresses had not engaged in any other scanning or exploit behavior during the two weeks preceding the attack, which means the attackers focus exclusively on exploiting CVE-2023-28771.

The targets are in the United States, United Kingdom, Spain, Germany, and India.

The vulnerable products within their vulnerability support period have been identified and patches released to address the vulnerability:

ATP series (ZLD V4.60 to V5.35) - Patched in ZLD V5.36
USG FLEX series (ZLD V4.60 to V5.35) - Patched in ZLD V5.36
VPN series (ZLD V4.60 to V5.35) - Patched in ZLD V5.36
ZyWALL/USG series (ZLD V4.60 to V4.73) - Patched in ZLD V4.73 Patch 1

Zyxel urges users to install patches ASAP. The vendor originally disclosed this vulnerability and released security patches on April 25, 2023, providing organizations with over two years to implement protective measures before this recent attack campaign.

For organizations unable to immediately apply patches, network filtering should be implemented to restrict unnecessary exposure of IKE and UDP port 500 services.

Coordinated cyberattacks target two years old Zyxel firewall flaw

Read More
Citrix releases emergency patches for actively exploited vulnerability …
Windows kernel flaw actively exploited
VMware reports public exploit of vRealize RCE vulnerability
Microsoft confirms active exploitation of CVE-2024-43461, don't delay …
Active GithHub Phishing campaign impersonating GitHub Recruitment