Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild

Security researchers have raised alarms about active exploitation attempts targeting a newly discovered zero-day command injection vulnerability in Zyxel CPE Series devices, tracked as CVE-2024-40891.

This critical vulnerability, which remains unpatched and undisclosed by the vendor, has left over 1,500 devices globally exposed to potential compromise, as reported by Censys.

About the Vulnerability – CVE-2024-40891

CVE-2024-40891 is a telnet-based command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands via service accounts such as “supervisor” or “zyuser.”

Successful exploitation could result in system compromise, data theft, and network infiltration.

The vulnerability is similar to CVE-2024-40890, a previously observed HTTP-based issue, with the key difference being the use of telnet as the attack vector for CVE-2024-40891.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

GreyNoise security researchers have confirmed active attempts to exploit this vulnerability in the wild.

These exploitation attempts surfaced just days after the vulnerability was disclosed to select security partners by VulnCheck on August 1, 2024.

Alarmingly, the vulnerability has not yet been addressed by Zyxel through an official advisory or firmware update.

Exploitation Observed and Response

GreyNoise, in collaboration with VulnCheck, has been monitoring malicious traffic linked to CVE-2024-40891 since January 21, 2025.

Exploitation patterns and attacker IPs are now being tracked in real-time. Given the sheer volume of attacks, security researchers opted for public disclosure rather than waiting for an official vendor response, to ensure that organizations can take immediate defensive measures.

This situation underscores the risks presented by zero-day vulnerabilities, particularly in widely deployed, internet-facing devices such as Zyxel’s CPE Series.

Attackers exploiting this flaw could achieve full control of affected devices, creating a significant risk for organizations reliant on these systems.

Organizations using Zyxel CPE Series devices should take the following steps immediately:

1. Network Monitoring: Closely monitor network traffic for unusual telnet activity targeting Zyxel CPE management interfaces.
2. Access Controls: Restrict administrative access to trusted IP addresses and disable unused remote management functionality.
3. Vendor Updates: Stay vigilant for security bulletins or patches from Zyxel and deploy updates as soon as they become available.
4. EOL Devices: If using devices that have reached end-of-life, consider decommissioning them to mitigate risks.

The cybersecurity community is urging Zyxel to release an official patch promptly to address this critical vulnerability. Until then, organizations are advised to implement all possible mitigations to safeguard their networks.

Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request