Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild.
"Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration," GreyNoise researcher Glenn Thorpe said in an alert published Tuesday.
The vulnerability in question is CVE-2024-40891, a critical command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was first reported by VulnCheck in July 2024.
Statistics gathered by the threat intelligence firm show that attack attempts have originated from dozens of IP addresses, with a majority of them located in Taiwan. According to Censys, there are more than 1,500 vulnerable devices online.
"CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Telnet-based while the latter is HTTP-based," GreyNoise added. "Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts."
VulnCheck told The Hacker News that it's working through its disclosure process with the Taiwanese company. We have reached out to Zyxel for further comment, and we will update the story if we hear back.
In the meantime, users are advised to filter traffic for unusual HTTP requests to Zyxel CPE management interfaces and restrict administrative interface access to trusted IPs.
The development comes as Arctic Wolf reported it observed a campaign starting January 22, 2025, that involved gaining unauthorized access to devices running SimpleHelp remote desktop software as an initial access vector.
It's currently not known if the attacks are linked to the exploitation of recently disclosed security flaws in the product (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) that could allow a bad actor to escalate privileges to administrative users and upload arbitrary files.
"The first signs of compromise were communications from the client process to an unapproved SimpleHelp server instance," security researcher Andres Ramos said. "The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further."
Organizations are strongly advised to update their SimpleHelp instances to the latest available fixed versions to secure against potential threats.
CVE-2024-40891 Likely Exploited by Mirai Botnet Variants
GreyNoise told the publication there are clear signs that threat actors are attempting to exploit the vulnerability en masse. It also pointed out that some Mirai botnet variants have already added the ability to exploit CVE-2024-40891 after identifying a "significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai."
Zyxel Says it Won't Patch Flaws in End-of-Life Routers
Zyxel, in an advisory released on February 4, 2025, said the vulnerabilities CVE-2024-40890 and CVE-2024-40891, alongside CVE-2025-0890, won't by addressed by the company in light of the fact that the devices they impact have reached end-of-life (EoL) status.
A description of the three vulnerabilities is below -
- CVE-2024-40890 (CVSS score: 8.8) - A post-authentication command injection vulnerability in the CGI program that could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request
- CVE-2024-40891 (CVSS score: 8.8) - A post-authentication command injection vulnerability in the management commands component that could allow an authenticated attacker to execute OS commands on an affected device via Telnet
- CVE-2025-0890 (CVSS score: 9.8) - The use of insecure default credentials for the Telnet function that could allow an attacker to log in to the management interface
The company also noted in its alert that WAN access and the Telnet function are disabled by default on these devices. In the absence of a patch, customers are being advised to replace the legacy products with newer versions to safeguard against the threats.
The list of affected models is as follows: VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500.
"While these devices are aging and supposed to be out of support, thousands remain exposed online," VulnCheck's Jacob Baines said. "The combination of default credentials and command injection makes them easy targets, highlighting the dangers of insecure default configurations and poor vulnerability transparency."
(The story was updated after publication to include an advisory published by Zyxel.)
