Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)

CVE-2024-40891, a command injection vulnerability in Zyxel CPE Series telecommunications devices that has yet to be fixed by the manufacturer, is being targeted by attackers, cybersecurity company Greynoise has warned.

Successful exploitation would allow attackers to execute arbitrary commands on affected devices, potentially leading to complete system compromise, network infiltration, and data exfiltration.

“After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains,” the company added.

About CVE-2024-40891

The existence of CVE-2024-40891 was first publicly acknowledged by vulnerability intelligence firm VulnCheck in July 2024 but, nearly six months later, it remains unpatched and unmentioned by Zyxel.

Unfortunately, attackers have been paying attention and, according to GreyNoise, they are trying to exploit the vulnerability on internet-facing devices. “If these attempts were launched against actual vulnerable devices, they would have been successful logins,” a company spokesperson told Help Net Security.

“CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser),” Glenn Thorpe, Greynoise’s senior director of security research and detection engineering, explained.

“GreyNoise researchers created a tag for this issue on January 21, 2025, and worked with VulnCheck to coordinate this disclosure. Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately.”

Preventing exploitation

Censys.io, a web platform for identify internet-connected assets, currently shows some 1,500 vulnerable devices, mostly in the Philippines, Turkey, and Europe.

As there is no official fix for CVE-2024-40891, organizations running those are advised to:

• Only allow connections from trusted IP addresses to the devices’ administrative interface
• Disable remote management features if they don’t use them
• Monitor Zyxel’s official channels for patch announcements and implement the patch when it’s finally made available.

In September 2024, Zyxel has pushed out hotfixes for a critical and easily exploited command injection vulnerability in its end-of-life NAS devices.

Unfortunately, not all of its interventions have been so helpful: the company has also recently thrown some of its firewalls in a reboot loop by issuing a faulty application signature update. The loop could only be interrupted by physically connecting a Console / RS232 cable to the device, restarting it and performing certain actions after entering debug mode.