CyberSecurity news
FlagThis
Zeljka Zorz@Help Net Security - 21d
Critical vulnerabilities have been discovered in several legacy Zyxel Customer Premises Equipment (CPE) products, leaving users at risk. Security researchers at VulnCheck identified these flaws, which include command injection vulnerabilities (CVE-2024-40891) and the presence of insecure default credentials (CVE-2025-0890). The combination of these vulnerabilities allows attackers to execute arbitrary code on affected devices, potentially granting them full control and enabling data theft, further attacks, or disruption of internet connectivity.
Zyxel has announced that it will not be releasing patches for these vulnerabilities, citing that the affected models have reached their end-of-life (EOL). These models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300 and SBG3500. Zyxel is urging users to replace these devices with newer models. If immediate replacement is not possible, disabling Telnet access and ensuring the default credentials are changed has been suggested.
ImgSrc: img.helpnetsecu
References :
Zyxel has announced that it will not be releasing patches for these vulnerabilities, citing that the affected models have reached their end-of-life (EOL). These models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300 and SBG3500. Zyxel is urging users to replace these devices with newer models. If immediate replacement is not possible, disabling Telnet access and ensuring the default credentials are changed has been suggested.
ImgSrc: img.helpnetsecu
Share:
References :
- securityonline.info: Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
- Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
- Vulnerability-Lookup: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
- vulnerability.circl.lu: Vulnerability-Lookup bundle
- securityonline.info: Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable
Classification:
- HashTags: #Zyxel #Vulnerability #Cybersecurity
- Company: Zyxel
- Target: Zyxel CPE users
- Product: CPE devices
- Feature: Default Credentials
- Type: Vulnerability
- Severity: Major