Unpatched Zyxel CPE Zero-Day Vulnerability Targeted by Cyberattackers

2025-01-29

A critical zero-day vulnerability in Zyxel CPE (Customer Premises Equipment) devices, tracked as CVE-2024-40891, has emerged as a significant threat to both businesses and individuals relying on Zyxel’s networking hardware. Despite being disclosed by security researchers nearly six months ago, the company has yet to acknowledge the issue or release a patch. As a result, cyberattackers are actively exploiting the vulnerability, posing a risk of data breaches, network infiltrations, and full system compromise.

the Vulnerability

Zyxel’s CPE devices, including various routers and access points, have been found to contain a critical command-injection flaw, identified as CVE-2024-40891. This vulnerability, uncovered by VulnCheck in July 2024, enables unauthenticated attackers to remotely execute arbitrary commands on the device, potentially leading to severe consequences like system takeover, network penetration, and sensitive data leakage. Despite the severity of the bug, Zyxel has yet to respond with a patch or any form of public acknowledgment.

GreyNoise, a security firm collaborating with VulnCheck, has observed a significant increase in attacks exploiting this vulnerability. As of January 2025, more than 1,500 vulnerable devices remain exposed online, and evidence suggests that various botnets, including Mirai, are incorporating the exploit into their attack scripts. The vulnerability is similar to another known issue, CVE-2024-40890, with the key distinction being the method of attack—one uses telnet, while the other uses HTTP. Both vulnerabilities allow attackers to execute commands on devices using high-level service accounts such as “supervisor” or “zyuser.”

In the absence of an official patch, GreyNoise advises affected users to take precautions such as filtering unusual traffic to Zyxel management interfaces, restricting access to trusted IPs, disabling unused remote management features, and closely monitoring any security updates released by Zyxel.

What Undercode Say:

The unpatched CVE-2024-40891 in Zyxel CPE devices is a glaring example of how critical vulnerabilities can persist for far too long, putting users at risk. Vulnerabilities like this emphasize the need for rapid response and patching by vendors to safeguard users’ networks from emerging threats. It’s surprising that Zyxel has failed to address this issue within a reasonable time frame, especially given its potential for widespread exploitation.

The fact that cybercriminals have already weaponized this vulnerability—embedding it in botnet attack scripts like those of Mirai—is deeply concerning. Mirai, known for its large-scale DDoS attacks using compromised IoT devices, is now exploiting CVE-2024-40891 to expand its botnet. This indicates a shift toward more targeted and sophisticated forms of cybercrime, where vulnerabilities in common consumer and business devices are being used to create large-scale, automated attack networks.

This also reflects broader challenges in the cybersecurity landscape: manufacturers of CPE devices often do not prioritize timely security fixes, leaving users vulnerable for extended periods. Zyxel’s failure to issue a patch or communicate effectively about this critical vulnerability only worsens the situation. Users of Zyxel devices must now deal with the uncertainty of whether or when a fix will arrive, forcing them to take manual measures to secure their systems.

The exploitation of CVE-2024-40891 also highlights the evolving nature of cyber threats. Previously, botnets like Mirai were mostly used for launching massive DDoS attacks, but now they have evolved to leverage specific vulnerabilities in popular network equipment. This trend points to a growing sophistication in how cybercriminals are using vulnerabilities not just for disruptive attacks but for deeper, more persistent intrusions into target systems.

For organizations relying on Zyxel devices, the need for network segmentation, strong access controls, and regular monitoring has never been more critical. With no patch available, users must be proactive in securing their devices, which may include filtering traffic, restricting remote management, and keeping a close eye on any unusual activity. Furthermore, as more vulnerabilities like CVE-2024-40891 are discovered, it’s imperative for users to stay updated on the latest security patches and threat intelligence.

In conclusion, CVE-2024-40891 is a stark reminder of the importance of timely security patches and the growing risk posed by unpatched vulnerabilities in connected devices. While Zyxel’s delayed response is unfortunate, users must take immediate action to protect their networks from ongoing and future threats. The cybersecurity community will need to keep a watchful eye on Zyxel’s next moves and remain vigilant for any signs of exploitation.