Critical Zero-Day Command Injection Vulnerability in Zyxel CPE Series Devices (CVE-2024-40891) Actively Exploited

ISGroup Cybersecurity

A new zero-day Command Injection vulnerability, identified as CVE-2024-40891, affects Zyxel CPE series devices, exposing over 1,500 internet-accessible devices worldwide to potential attacks. Security researchers have observed active exploitation attempts since January 21, 2025, with attackers leveraging unauthorized accounts such as “supervisor” or “zyuser” to gain system control. Despite the severity, Zyxel has not yet issued an official advisory or a corrective patch.

Date2025-02-03 09:26:25
Information
  • Active Exploitation

Technical Summary

CVE-2024-40891 is a critical remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on affected Zyxel CPE devices via telnet. This vulnerability is similar to CVE-2024-40890, which utilized an HTTP-based attack vector, but in this case, CVE-2024-40891 focuses on telnet access. The flaw allows attackers to gain full control of the device, with potential consequences such as data theft, network compromise, and large-scale botnet infections.

Researchers from GreyNoise and VulnCheck have confirmed active exploitation of the vulnerability, with attackers targeting exposed devices shortly after the issue was reported to certain security partners. Due to the high number of attacks, researchers publicly disclosed the issue to raise awareness and encourage defensive actions.

Recommendations

Until an official patch is available, organizations using Zyxel CPE Series devices should adopt the following measures to mitigate risks:

  • Monitor network traffic: actively monitor telnet connections on Zyxel devices to detect suspicious activity.
  • Restrict access: allow administrative access only from trusted IPs and disable remote management if not necessary.
  • Apply vendor updates: regularly check for Zyxel security advisories and apply patches immediately upon release.
  • Decommission end-of-life devices: replace devices that are no longer supported to reduce exposure to future threats.

[Callforaction-THREAT-Footer]