Critical Vulnerability in Zyxel Devices Under Active Exploitation
Cybersecurity experts have issued urgent warnings regarding a severe zero-day vulnerability affecting Zyxel CPE Series devices, with reports of ongoing exploitation attempts. Dubbed CVE-2024-40891, this command injection vulnerability enables attackers to execute arbitrary commands on compromised devices, potentially resulting in full system takeover, unauthorized data access, or infiltration into connected networks. GreyNoise researcher Glenn Thorpe highlighted the risks involved, noting that the vulnerability remains unpatched and was initially reported by VulnCheck in July 2024.
Current threat intelligence indicates that attackers have been leveraging this vulnerability aggressively, with multiple incidents traced back to a significant number of IP addresses—predominantly located in Taiwan. Censys data reveals that over 1,500 Zyxel devices remain exposed online, with the exploit vectors focused primarily on Telnet interfaces. GreyNoise has drawn parallels between CVE-2024-40891 and another vulnerability, CVE-2024-40890, noting that both allow unauthenticated attackers to execute system commands, albeit through different service protocols.
As the situation escalates, users are strongly encouraged to implement network defenses, including filtering traffic for unusual HTTP requests directed at Zyxel CPE management interfaces and restricting administrative access to trusted IP addresses. In a related development, Arctic Wolf has noted campaigns initiated from January 22, 2025, involving unauthorized access to devices running SimpleHelp remote desktop software. Initial signs of these threats included suspicious communications indicating a potential attack path utilizing CVE-2024-57726 among others, which could lead to privilege escalation.
Notably, there are indications that variants of the Mirai botnet have begun to exploit CVE-2024-40891. GreyNoise identified a considerable overlap in IP addresses targeting this vulnerability and those associated with Mirai, suggesting organized, mass exploitation efforts by threat actors. Given the potential for widespread impact, organizations are advised to routinely monitor their networks for signs of compromise.
Zyxel has disclosed that it will not release patches for the vulnerabilities affecting its end-of-life devices, including CVE-2024-40890 and CVE-2024-40891. According to Zyxel’s advisory issued on February 4, 2025, these legacy devices will not be supported further, thereby posing a lasting risk to users still reliant on them. Customers are urged to consider upgrading to modern devices to mitigate the threats posed by these vulnerabilities.
VulnCheck has expressed concern that many legacy Zyxel models remain connected to the internet, largely due to the combination of default credentials and the command injection vulnerability, emphasizing the need for greater transparency in vulnerability disclosures and the risks associated with outdated configurations.
In summary, the ongoing exploitation of CVE-2024-40891 serves as a stark reminder of the continual risks posed to organizations by unpatched vulnerabilities, particularly in aging network equipment. Business owners should remain vigilant and proactive in monitoring their cybersecurity posture to defend against potential breaches stemming from these types of vulnerabilities. The MITRE ATT&CK framework highlights the tactics and techniques possibly employed in these attacks, including initial access through command injection and persistence via remote access protocols. Awareness and timely action are paramount to safeguarding against these emerging threats.
