Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability

Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild.
"Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration," GreyNoise researcher Glenn Thorpe said in an alert published Tuesday.
The vulnerability in question is CVE-2024-40891, a critical command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was first reported by VulnCheck in July 2024.
Statistics gathered by the threat intelligence firm show that attack attempts have originated from dozens of IP addresses, with a majority of them located in Taiwan. According to Censys, there are more than 1,500 vulnerable devices online.
"CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Telnet-based while the latter is HTTP-based," GreyNoise added. "Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts."
VulnCheck told The Hacker News that it's working through its disclosure process with the Taiwanese company. We have reached out to Zyxel for further comment, and we will update the story if we hear back.

In the meantime, users are advised to filter traffic for unusual HTTP requests to Zyxel CPE management interfaces and restrict administrative interface access to trusted IPs.
The development comes as Arctic Wolf reported it observed a campaign starting January 22, 2025, that involved gaining unauthorized access to devices running SimpleHelp remote desktop software as an initial access vector.
It's currently not known if the attacks are linked to the exploitation of recently disclosed security flaws in the product (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) that could allow a bad actor to escalate privileges to administrative users and upload arbitrary files.
"The first signs of compromise were communications from the client process to an unapproved SimpleHelp server instance," security researcher Andres Ramos said. "The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further."
Organizations are strongly advised to update their SimpleHelp instances to the latest available fixed versions to secure against potential threats.
Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer
Data Privacy Day 2025: Time for Data Destruction to Become Standard Business Practice
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
Free online web security scanner