Saturday, February 8, 2025
HomeCVE/vulnerabilityZyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild

Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild

Published on

SIEM as a Service

Follow Us on Google News

Security researchers have raised alarms about active exploitation attempts targeting a newly discovered zero-day command injection vulnerability in Zyxel CPE Series devices, tracked as CVE-2024-40891.

This critical vulnerability, which remains unpatched and undisclosed by the vendor, has left over 1,500 devices globally exposed to potential compromise, as reported by Censys.

About the Vulnerability – CVE-2024-40891

CVE-2024-40891 is a telnet-based command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands via service accounts such as “supervisor” or “zyuser.”

Successful exploitation could result in system compromise, data theft, and network infiltration.

The vulnerability is similar to CVE-2024-40890, a previously observed HTTP-based issue, with the key difference being the use of telnet as the attack vector for CVE-2024-40891.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

GreyNoise security researchers have confirmed active attempts to exploit this vulnerability in the wild.

These exploitation attempts surfaced just days after the vulnerability was disclosed to select security partners by VulnCheck on August 1, 2024.

Alarmingly, the vulnerability has not yet been addressed by Zyxel through an official advisory or firmware update.

Exploitation Observed and Response

GreyNoise, in collaboration with VulnCheck, has been monitoring malicious traffic linked to CVE-2024-40891 since January 21, 2025.

Exploitation patterns and attacker IPs are now being tracked in real-time. Given the sheer volume of attacks, security researchers opted for public disclosure rather than waiting for an official vendor response, to ensure that organizations can take immediate defensive measures.

This situation underscores the risks presented by zero-day vulnerabilities, particularly in widely deployed, internet-facing devices such as Zyxel’s CPE Series.

Attackers exploiting this flaw could achieve full control of affected devices, creating a significant risk for organizations reliant on these systems.

Organizations using Zyxel CPE Series devices should take the following steps immediately:

  1. Network Monitoring: Closely monitor network traffic for unusual telnet activity targeting Zyxel CPE management interfaces.
  2. Access Controls: Restrict administrative access to trusted IP addresses and disable unused remote management functionality.
  3. Vendor Updates: Stay vigilant for security bulletins or patches from Zyxel and deploy updates as soon as they become available.
  4. EOL Devices: If using devices that have reached end-of-life, consider decommissioning them to mitigate risks.

The cybersecurity community is urging Zyxel to release an official patch promptly to address this critical vulnerability. Until then, organizations are advised to implement all possible mitigations to safeguard their networks.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...