Zyxel, a manufacturer of firewalls and security appliances, has faced a ransomware attack due to exploitation of a command injection vulnerability (CVE-2024-42057). Attackers utilized this flaw in devices configured with User-Based-PSK authentication with long usernames. The vulnerability allowed command execution on affected devices, leading to compromised firewalls and potentially providing unauthorized access to network resources. Zyxel took measures by releasing a firmware update and urging users to change admin and user account passwords. The attack has been linked to the Helldown ransomware gang, known for targeting firewalls for initial compromise and deploying ransomware within organizational networks.

A significant spike was observed in exploitation attempts targeting CVE-2023-28771, a critical remote code execution vulnerability affecting Zyxel Internet Key Exchange (IKE) packet decoders. The coordinated attack campaign, observed on June 16, 2025, represents a concentrated burst of malicious activity after weeks of minimal exploitation attempts, with threat actors leveraging UDP port 500 to compromise vulnerable network infrastructure devices. GreyNoise detected 244 unique IP addresses attempting to exploit the vulnerability, indicating a coordinated campaign rather than opportunistic scanning behavior.