FlagThis

Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.

GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.

ImgSrc: img.helpnetsecu

References :

• gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
• The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
• Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
• gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
• thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
• www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
• ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
• BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
• securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
• securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
• ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
• www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
• : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
• Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
• SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
• www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
• vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
• The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
• www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
• Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming

Classification:

• HashTags: #Zyxel #Vulnerability #Mirai
• Company: Zyxel
• Target: Zyxel Devices
• Product: DSL CPE
• Feature: Firmware Updates
• Malware: Mirai
• Type: 0Day
• Severity: Critical