CyberSecurity news

FlagThis - #Zyxel

Zeljka Zorz@Help Net Security //
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.

GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.

Recommended read:
References :
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
  • Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
  • www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
  • : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
  • www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
  • Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming

@www.helpnetsecurity.com //
Zyxel CPE devices are under active attack due to a critical, unpatched zero-day vulnerability identified as CVE-2024-40891. This command injection flaw allows unauthenticated attackers to execute arbitrary commands via the telnet protocol, potentially leading to complete system compromise, data exfiltration, and network infiltration. The vulnerability, first acknowledged by VulnCheck in July 2024, is similar to another HTTP-based flaw, CVE-2024-40890, but uses telnet, and continues to be exploited because of the lack of a patch from Zyxel. Cyber security researchers have observed active exploitation attempts originating from numerous IP addresses, particularly in Taiwan, impacting over 1,500 devices globally, according to Censys.

The active exploitation of CVE-2024-40891 has prompted security researchers to issue warnings and provide guidance to affected users. GreyNoise, in collaboration with VulnCheck, has been monitoring the attacks and observed a significant overlap between IPs exploiting this vulnerability and those associated with the Mirai botnet. The lack of an official fix means that users are urged to take immediate steps such as filtering traffic for unusual telnet requests, restricting administrative interface access to trusted IPs, and monitoring Zyxel's official communication channels for patch announcements. These actions are crucial to mitigate the risk of exploitation until Zyxel releases an official patch.

Recommended read:
References :
  • The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
  • Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • www.bleepingcomputer.com: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.

Zeljka Zorz@Help Net Security //
Critical vulnerabilities have been discovered in several legacy Zyxel Customer Premises Equipment (CPE) products, leaving users at risk. Security researchers at VulnCheck identified these flaws, which include command injection vulnerabilities (CVE-2024-40891) and the presence of insecure default credentials (CVE-2025-0890). The combination of these vulnerabilities allows attackers to execute arbitrary code on affected devices, potentially granting them full control and enabling data theft, further attacks, or disruption of internet connectivity.

Zyxel has announced that it will not be releasing patches for these vulnerabilities, citing that the affected models have reached their end-of-life (EOL). These models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300 and SBG3500. Zyxel is urging users to replace these devices with newer models. If immediate replacement is not possible, disabling Telnet access and ensuring the default credentials are changed has been suggested.

Recommended read:
References :
  • securityonline.info: Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
  • Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
  • Vulnerability-Lookup: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • vulnerability.circl.lu: Vulnerability-Lookup bundle
  • securityonline.info: Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable

Zeljka Zorz@Help Net Security //
Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.

GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.

Recommended read:
References :
  • securityonline.info: Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!
  • Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
  • securityonline.info: Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • vulnerability.circl.lu: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • BleepingComputer: Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.