Researchers report active exploitation of unpatched Zyxel CPE Devices via CVE-2024-40891 flaw

Researchers report actively exploited vulnerability in Zyxel CPE Series devices.

The vulnerability is tracked as CVE-2024-40891 (CVSS score 7.1). It's a command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and zyuser) through Telnet-based attacks.

The vulnerability enables attackers to execute arbitrary commands on affected devices, achieve complete system compromise perform data exfiltration and network infiltration

VulnCheck initially disclosed this vulnerability to their partners on August 1, 2024, under the name "Zyxel CPE Telnet Command Injection." As of January 28, 2025, Zyxel has neither publicly disclosed the vulnerability nor released an advisory or patch. Censys reports identify over 1,500 vulnerable devices currently exposed online. The majority of attack attempts have originated from IP addresses located in Taiwan.

The researchers note that CVE-2024-40891 shares similarities with CVE-2024-40890, with the key distinction being that CVE-2024-40891 utilizes Telnet-based attacks while CVE-2024-40890 employs HTTP-based methods. Both vulnerabilities enable unauthenticated command execution through service accounts.

GreyNoise and VulnCheck made the decision to publish their findings immediately, departing from the standard vendor-coordinated disclosure process. GreyNoise created a specific tag for tracking this issue on January 21, 2025.

Update - Zyxel has stated they have no plans to patch the end-of-life routers against new zero-day flaws and advises customers to replace affected devices entirely.

Users are advised to apply immediate mitigation measures:

1. Fully block or limit access to telnet and HTTP ports of the device only to trusted networks.
2. Monitor Zyxel's site for patches and apply them immediately upon release
3. Discontinue use of end-of-life devices