2025-02-24 03:31:26 Pacfic
Zyxel Issues No-Patch Warning for Exploited Zero-Days - 16d
Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.
GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.
ImgSrc: img.helpnetsecurity.com
References:
- securityonline.info - Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch! - 16d
- Dataconomy - Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products. - 16d
- Vulnerability Archives ? Cybersecurity News - Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable. - 16d
- @vulnerability_lookup - Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup: - 16d
- vulnerability.circl.lu - A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup: - 16d
- @BleepingComputer - Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products. - 15d
Classification:
- HashTags: Zyxel Vulnerability ZeroDay
- Company: Zyxel
- Target: Zyxel DSL CPE users
- Product: DSL CPE
- Feature: Vulnerability
- Type: Vulnerability
- Severity: Disaster