CyberSecurity news

FlagThis - #zyxel

Divya@gbhackers.com - 88d

Critical Vulnerabilities in Zyxel, CyberPanel, North Grid, and ProjectSend - CISA issued alerts about multiple actively exploited vulnerabilities affecting Zyxel firewalls, CyberPanel, North Grid, and ProjectSend.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings about multiple actively exploited vulnerabilities affecting popular software and hardware. These flaws impact Zyxel firewalls, CyberPanel, North Grid, and ProjectSend, allowing attackers unauthorized system access and control. Specifically, CyberPanel's CVE-2024-51378, with a critical CVSS score of 10.0, allows authentication bypass and arbitrary command execution, facilitating ransomware deployment. Other vulnerabilities include improper authentication in ProjectSend (CVE-2024-11680), improper XML External Entity restriction in North Grid Proself (CVE-2023-45727), and path traversal in Zyxel firewalls (CVE-2024-11667). These vulnerabilities have been linked to various ransomware campaigns, including PSAUX and Helldown.

Organizations utilizing these products are strongly advised to immediately implement the necessary security updates and mitigations provided by the vendors. The high severity of these vulnerabilities, particularly the perfect score given to CVE-2024-51378, underscores the urgent need for action to prevent exploitation. CISA has added these flaws to its Known Exploited Vulnerabilities catalog and urges federal agencies to remediate them by December 25, 2024. Failure to act promptly leaves organizations vulnerable to significant security breaches and data loss.

Recommended read:
References :
  • gbhackers.com: CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild
  • securityonline.info: CVE-2024-51378 (CVSS 10): Critical CyberPanel Flaw Under Active Attack, CISA Warns
  • The Hacker News: CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
  • The Hacker News: Information about the Mitel MiCollab zero-day vulnerability.
  • Help Net Security: Details on the Mitel MiCollab zero-day vulnerability and PoC exploit.
  • www.bleepingcomputer.com: Report on the Mitel MiCollab zero-day vulnerability.
  • www.cysecurity.news: CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems
  • watchTowr Labs: watchTowr : Mitel MiCollab is an application for voice, video, messaging, presence, audio conferencing, mobility and team collaboration. watchTowr publishes vulnerability details for CVE-2024-35286 (SQL Injection), and CVE-2024-41713 (authentication bypass). Additionally they publicly disclose a post-authenticated arbitrary file read vulnerability (unpatched) that Mitel failed to patch within 100 days of reporting. This includes proof of concept.
  • www.csoonline.com: Mitel MiCollab VoIP authentication bypass opens new attack paths
  • www.mitel.com: Mitel security advisory addressing CVE-2024-41713.
  • The Register - Security: Information about the zero-day vulnerability in Mitel MiCollab that allows attackers to access sensitive files.
  • securityaffairs.com: U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog
  • gbhackers.com: Report on multiple ICS advisories released by CISA, focusing on vulnerabilities and exploits in AutomationDirect and Planet Technology products.
Zeljka Zorz@Help Net Security - 32d

Zyxel Won't Patch Exploited Zero-Days in Legacy Devices - Zyxel will not patch actively exploited zero-day vulnerabilities (CVE-2024-40890 and CVE-2024-40891) in legacy DSL CPE products, which allow attackers to execute arbitrary commands, recommending users replace end-of-life devices.
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891. These vulnerabilities affect multiple legacy DSL CPE products, including models VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. The vulnerabilities enable attackers to execute arbitrary commands on the affected devices. One of the vulnerabilities, CVE-2024-40891, is being actively exploited in the wild by a Mirai botnet variant.

GreyNoise warned that over 1,500 devices are affected by the command injection bug. CVE-2024-40890 is a post-authentication command injection vulnerability in the CGI program which allows an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. CVE-2024-40891 is a post-authentication command injection vulnerability in the management commands which could allow an authenticated attacker to execute OS commands on an affected device via Telnet. Zyxel advises users to replace the end-of-life products with newer-generation devices for optimal protection.

Recommended read:
References :
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
  • Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability | The DefendOps Diaries
  • www.helpnetsecurity.com: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • BleepingComputer: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers – Source: www.darkreading.com
  • www.bleepingcomputer.com: Hackers exploit critical unpatched flaw in Zyxel CPE devices
  • : Zyxel's security advisory confirms the existence of , , and affecting end-of-life DSL CPE products.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • SecurityWeek: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • www.securityweek.com: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days
  • vulnerability.circl.lu: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • The GreyNoise Blog: Active exploitation of zero-day Zyxel CPE vulnerability (CVE-2024-40891)
  • www.zyxel.com: Zyxel security advisory confirms the existence of command injection and insecure default credentials vulnerabilities affecting end-of-life DSL CPE products.
  • Dataconomy: If you own these Zyxel devices uninstall them now: No fix is coming
@www.helpnetsecurity.com - 32d

Zyxel CPE Devices Under Active Exploitation - Zyxel CPE devices are under active attack due to an unpatched command injection vulnerability allowing attackers to execute arbitrary commands via telnet, with over 1,500 devices affected globally.
Zyxel CPE devices are under active attack due to a critical, unpatched zero-day vulnerability identified as CVE-2024-40891. This command injection flaw allows unauthenticated attackers to execute arbitrary commands via the telnet protocol, potentially leading to complete system compromise, data exfiltration, and network infiltration. The vulnerability, first acknowledged by VulnCheck in July 2024, is similar to another HTTP-based flaw, CVE-2024-40890, but uses telnet, and continues to be exploited because of the lack of a patch from Zyxel. Cyber security researchers have observed active exploitation attempts originating from numerous IP addresses, particularly in Taiwan, impacting over 1,500 devices globally, according to Censys.

The active exploitation of CVE-2024-40891 has prompted security researchers to issue warnings and provide guidance to affected users. GreyNoise, in collaboration with VulnCheck, has been monitoring the attacks and observed a significant overlap between IPs exploiting this vulnerability and those associated with the Mirai botnet. The lack of an official fix means that users are urged to take immediate steps such as filtering traffic for unusual telnet requests, restricting administrative interface access to trusted IPs, and monitoring Zyxel's official communication channels for patch announcements. These actions are crucial to mitigate the risk of exploitation until Zyxel releases an official patch.

Recommended read:
References :
  • The Hacker News: Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability
  • Help Net Security: Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
  • gbhackers.com: Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild
  • thedefendopsdiaries.com: Exploiting the Unpatched: A Deep Dive into Zyxel CPE Vulnerability
  • ciso2ciso.com: Unpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers
  • securityonline.info: Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
  • www.bleepingcomputer.com: Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that is currently tracked as CVE-2024-40891 and remains unpatched since last July.
Zeljka Zorz@Help Net Security - 24d

Unpatched Vulnerabilities in Zyxel CPE Devices - Critical vulnerabilities have been identified in legacy Zyxel CPE products, allowing attackers to execute arbitrary commands, but Zyxel will not patch them, urging users to replace affected devices.
Critical vulnerabilities have been discovered in several legacy Zyxel Customer Premises Equipment (CPE) products, leaving users at risk. Security researchers at VulnCheck identified these flaws, which include command injection vulnerabilities (CVE-2024-40891) and the presence of insecure default credentials (CVE-2025-0890). The combination of these vulnerabilities allows attackers to execute arbitrary code on affected devices, potentially granting them full control and enabling data theft, further attacks, or disruption of internet connectivity.

Zyxel has announced that it will not be releasing patches for these vulnerabilities, citing that the affected models have reached their end-of-life (EOL). These models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300 and SBG3500. Zyxel is urging users to replace these devices with newer models. If immediate replacement is not possible, disabling Telnet access and ensuring the default credentials are changed has been suggested.

Recommended read:
References :
  • securityonline.info: Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
  • Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
  • Vulnerability-Lookup: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • vulnerability.circl.lu: Vulnerability-Lookup bundle
  • securityonline.info: Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable
Zeljka Zorz@Help Net Security - 25d

Zyxel Issues No-Patch Warning for Exploited Zero-Days - Zyxel will not patch legacy DSL CPE products affected by actively exploited zero-day vulnerabilities, allowing attackers to execute arbitrary commands; users are advised to replace the devices.
Zyxel is warning users of its legacy DSL Customer Premises Equipment (CPE) products about actively exploited zero-day vulnerabilities that will not be patched. These vulnerabilities, identified as CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary commands due to a combination of command injection flaws in the Telnet service and the presence of default credentials. This combination enables unauthenticated attackers to gain full control over affected routers, potentially leading to data theft, further attacks, and disruption of internet connectivity.

GreyNoise has observed attackers actively exploiting these vulnerabilities, including by Mirai-based botnets. The affected models, including VMG1312-B10A, VMG3926-B10B, and SBG3500, are end-of-life but remain in use and even available for purchase. Zyxel recommends replacing these devices with newer models and disabling Telnet access as immediate action. The default credentials such as "supervisor:zyad1234" and "zyuser:1234" are particularly problematic, providing easy access for attackers.

Recommended read:
References :
  • securityonline.info: Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!
  • Dataconomy: Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.
  • securityonline.info: Security researchers have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable.
  • Vulnerability-Lookup: Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • vulnerability.circl.lu: A new bundle, Command injection and insecure default credentials vulnerabilities n certain legacy DSL CPE from Zyxel, has been published on Vulnerability-Lookup:
  • BleepingComputer: Zyxel will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products.

Blogs

Research Tools