Listen to this Post
Introduction: A Resurgence in a Dormant Threat
A critical vulnerability affecting Zyxel firewall devices—CVE-2023-28771—has suddenly resurfaced as a high-priority cybersecurity concern. Though it was first disclosed and patched over a year ago, a recent and concentrated wave of exploit attempts has drawn renewed attention. GreyNoise researchers flagged the abnormal spike, revealing hundreds of attempts within a short span of time, originating from what appears to be Verizon Business IPs. This resurgence has alarming implications not just for Zyxel device owners, but also for global infrastructure and botnet proliferation.
the Exploit Surge
On June 16, 2025, cybersecurity researchers at GreyNoise detected a sudden spike in attempts to exploit CVE-2023-28771, a remote code execution (RCE) flaw with a critical CVSS score of 9.8. This vulnerability targets Zyxel firewall devices via IKE (Internet Key Exchange) protocol decoders on UDP port 500. While previous weeks had seen minimal activity, that day recorded a dramatic escalation—244 unique IP addresses attempted exploitation within a narrow time window.
The primary targets of these attacks were concentrated in major Western countries, including the United States, United Kingdom, Spain, Germany, and India. Intriguingly, none of the attacking IP addresses had shown any other suspicious behavior in the weeks leading up to the attack, suggesting a deliberate and calculated deployment.
All 244 suspicious IP addresses were linked to Verizon Business infrastructure in the U.S. However, because UDP does not require a handshake and is easily spoofed, researchers have cautioned that these IPs may not represent the true origin of the attacks. Further analysis by GreyNoise and corroborated by VirusTotal indicated links to variants of the notorious Mirai botnet, a malware family known for enslaving IoT devices into large-scale distributed denial-of-service (DDoS) attacks.
Zyxel had already patched the vulnerability in April 2023 and urged customers to update their systems. Despite that, some devices remain unpatched and vulnerable, making them ideal targets for attackers. By late May 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its “Known Exploited Vulnerabilities” catalog, a list that highlights actively targeted weaknesses across various infrastructures.
GreyNoise has also issued mitigation advice, recommending immediate patching and enhanced monitoring for signs of botnet-related activity.
What Undercode Say:
This sudden resurgence of exploit attempts highlights a few pressing concerns in modern cybersecurity—chief among them is the illusion of security that can follow patch announcements. CVE-2023-28771 may have been disclosed and patched over a year ago, but its revival suggests that many organizations failed to act on those warnings.
The observed focus on Zyxel devices isn’t random. These firewalls are widely used in both enterprise and small-to-medium business networks, making them high-value targets for botnet herders looking to expand their control. The Mirai botnet, although old, continues to evolve and adapt. Its latest iterations are clearly designed to seek out overlooked vulnerabilities like CVE-2023-28771, turning them into entry points for malware deployment.
Another unsettling detail is the uniformity of the attacking IPs, all reportedly linked to Verizon Business. The nature of UDP and spoofed traffic throws attribution into murky waters, and this could be a classic case of false-flag operations or attackers masking their source. But even if these IPs are just shells or proxies, their sheer volume in a short burst suggests a coordinated action—potentially a probing phase before a larger wave of attacks.
The fact that the attackers remained dormant for two weeks before unleashing this burst also indicates operational sophistication. This wasn’t a brute-force sweep—it was a sniper strike. The lack of any additional suspicious activity reinforces that theory, showing a singular focus on exploiting this one vulnerability.
In broader context, this incident also speaks volumes about the lifecycle of vulnerabilities in cybersecurity. A flaw can go quiet for months, even years, and then suddenly be resurrected as tools, techniques, or motivations evolve. CISA’s move to catalog this as a known exploited vulnerability was not just reactive but predictive. Organizations should take note that being reactive is no longer enough—proactive patching and threat intelligence consumption are critical for survival.
This story also dovetails with a growing trend of malware-as-a-service (MaaS), where exploits like these are packaged and sold or shared among hacker communities. The ease with which botnet builders can distribute Mirai variants with tailored modules for known vulnerabilities makes such threats nearly impossible to eradicate—only contain.
With the IoT explosion and edge computing becoming more prominent, firewalls and routers remain an attractive initial foothold for attackers. The lesson here is clear: Old vulnerabilities don’t die; they just wait for their moment to strike again.
🔍 Fact Checker Results:
✅ CVE-2023-28771 was confirmed as a critical RCE vulnerability by Zyxel and patched in April 2023.
✅ VirusTotal validated the connection to Mirai botnet variants.
✅ CISA officially added this vulnerability to its Known Exploited Vulnerabilities catalog in May 2025.
📊 Prediction:
Given the pattern of activity and botnet linkage,
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
