Unpatched Zyxel CPE Zero-Day Pummeled by CyberattackersUnpatched Zyxel CPE Zero-Day Pummeled by Cyberattackers

VulnCheck initially disclosed the critical command-injection vulnerability (CVE-2024-40891) six months ago, but Zyxel has yet to mention its existence or offer users a patch to mitigate threats.

Kristina Beek, Associate Editor, Dark Reading

January 29, 2025

1 Min Read
Person holding smartphone with logo of company Zyxel Communications Corporation on screen in front of website
Source: Timon Schneider via Alamy Stock Photo

NEWS BRIEF

A command-injection vulnerability in Zyxel CPE Series devices is being targeted by threat actors, and there's no patch available.

The bug, tracked as CVE-2024-40891, was first discovered by VulnCheck, a vulnerability intelligence firm, and disclosed to the vendor last July. Half a year later, Zyxel has yet to fix or even mention the vulnerability.

If successfully exploited, CVE-2024-40891 could allow threat actors to execute arbitrary commands on infected devices, ultimately potentially leading to system compromise, network infiltration, and data leaks, according to VulnCheck.

Researchers at GreyNoise meanwhile have been coordinating with the researchers at VulnCheck regarding exploitation of the vulnerability, and decided to disclose it publicly this week due to the "large number of attacks" they have been observing.

They also noted that CVE-2024-40891 is very similar to a known issue tracked as CVE-2024-40890, with the primary difference between the two being one is telnet-based and the other HTTP-based. Both, however, allow unauthenticated attackers to execute arbitrary commands using service accounts, whether in the "supervisor" or "zyuser" roles.

The lack of a patch could be a significant issue: Censys is reporting more than 1,500 vulnerable devices online, and it looks like some botnet operators have built exploits for the bug into their code, according to GreyNoise.

"After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains," the researchers noted.

Since there is no current fix, GreyNoise recommended that users filter traffic for unusual requests to Zyxel CPE management interfaces, monitor Zyxel's security updates to be aware if a patch is made available, restrict administrative interface access to trusted IPs, and disable unused remote management features.

Read more about:

News Briefs

About the Author

Kristina Beek, Associate Editor, Dark Reading

Kristina Beek, Associate Editor, Dark Reading

Skilled writer and editor covering cybersecurity for Dark Reading.

See more from Kristina Beek, Associate Editor, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Toy football helmets of the Kansas City Chiefs and Philadelphia Eagles, on a gridiron
Endpoint Security
Super Bowl LIX Could Be a Magnet for CyberattacksSuper Bowl LIX Could Be a Magnet for Cyberattacks
byJai Vijayan, Contributing Writer
Jan 28, 2025
5 Min Read
A person's hand on a computer keyboard
Endpoint Security
Crisis Simulations: A Top 2025 Concern for CISOsCrisis Simulations: A Top 2025 Concern for CISOs
byKristina Beek, Associate Editor, Dark Reading
Jan 27, 2025
2 Min Read
MITRE ATT&CK framework
Cybersecurity Operations
MITRE's Latest ATT&CK Simulations Tackle Cloud DefensesMITRE's Latest ATT&CK Simulations Tackle Cloud Defenses
byRobert Lemos, Contributing Writer
Jan 24, 2025
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events