Unpatched CVE-2024-40891: A Critical Zero-Day Vulnerability in Zyxel CPE Devices Under Active Exploitation

2025-01-29

Zyxel CPE Series devices are currently being targeted by cybercriminals exploiting a zero-day vulnerability tracked as CVE-2024-40891. This critical flaw, which has yet to be patched or publicly disclosed, allows attackers to execute arbitrary commands on the affected devices. As a result, they can potentially seize control of the devices, extract sensitive data, or infiltrate networks. Cybersecurity experts from GreyNoise and VulnCheck have been monitoring these ongoing exploitation attempts and have issued an alert about the risk posed to millions of users.

the Vulnerability and Exploitation Attempts

CVE-2024-40891 is a command injection vulnerability in

The flaw is very similar to another vulnerability, CVE-2024-40890, with the main difference being the protocol used for the attack—CVE-2024-40891 targets Telnet, while CVE-2024-40890 leverages HTTP-based communication. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts like supervisor and zyuser.

VulnCheck first disclosed the vulnerability on August 1, 2024, but Zyxel has not issued an official advisory. As the exploitation attempts escalated, GreyNoise collaborated with VulnCheck to verify and tag the vulnerability on January 21, 2025. The disclosure came immediately, as the attack attempts had already reached widespread proportions, especially from IP addresses originating in Taiwan. According to cybersecurity firm Censys, over 1,500 devices are exposed to this critical flaw.

What Undercode Say:

The rapid rise in exploitation attempts targeting CVE-2024-40891 is a stark reminder of the vulnerabilities in widely used networking devices. As reported by GreyNoise, these attacks are happening on a large scale, with many of the attacks originating from a specific geographic region, Taiwan. The presence of thousands of attempted exploits indicates how attractive Zyxel devices are to cybercriminals, likely due to their widespread usage and critical role in network infrastructure. Devices in home and small business environments are especially vulnerable since they often lack the same level of security monitoring as corporate systems.

The vulnerability itself, being a command injection flaw, allows attackers to remotely execute arbitrary commands on the device, which is a highly dangerous ability. Attackers could use this to install malware, steal sensitive data, or even pivot to other devices on the same network. The exploitation attempts are also noteworthy because they are happening at a time when security patches and updates are crucial, yet Zyxel has not responded with an official patch or advisory, leaving devices exposed to ongoing threats.

Comparing CVE-2024-40891 to CVE-2024-40890,

The collaboration between VulnCheck and GreyNoise highlights the importance of cybersecurity firms sharing threat intelligence in real-time to mitigate the impact of such vulnerabilities. Their rapid disclosure of CVE-2024-40891, despite the lack of vendor coordination, was crucial in warning organizations and individuals who might be using Zyxel devices.

While the scale of exploitation attempts is concerning, the fact that the vulnerability was discovered by independent researchers rather than Zyxel itself raises questions about the company’s responsiveness to security flaws. It also underscores the need for vendors to prioritize security and patching, especially for vulnerabilities in widely used devices like Zyxel CPE series products.

As of now, the lack of a patch leaves many devices exposed, making it essential for organizations and consumers to assess their Zyxel equipment and consider mitigating actions, such as disabling Telnet access or implementing strict network monitoring. Given the severity of the risk and the high potential for data breaches and network infiltrations, users should remain vigilant and be prepared for future updates from Zyxel or the broader cybersecurity community.

This situation highlights the importance of a proactive approach to cybersecurity. It’s crucial for organizations to implement a robust patch management policy and stay informed about vulnerabilities that could affect their infrastructure. Furthermore, this incident serves as a reminder that even seemingly minor devices, like home routers and CPE units, can become major targets for cybercriminals if left unprotected.

Ultimately, CVE-2024-40891 is another case in a long series of vulnerabilities that stress the importance of cybersecurity vigilance. As cyber threats continue to evolve, it’s essential for all stakeholders in the cybersecurity ecosystem—vendors, researchers, and end-users—to work together to ensure the safety of online environments.