CVE-2025-0890 is a critical security vulnerability affecting Zyxel VMG4325-B10A routers due to the presence of default credentials. These credentials allow attackers to gain unauthorized access to the system via Telnet, facilitating further forms of exploitation. The severity of the issue is heightened by the fact that it serves as an entry point for CVE-2024-40891, an authenticated command injection vulnerability that can lead to full remote code execution (RCE). This vulnerability is being actively exploited, with threat actors targeting the zyuser account to gain unauthorized access, as confirmed by several threat intelligence sources. It is important to note that the same credentials have already been used in previous malware campaigns, including BrickerBot.
| Product | Zyxel Devices |
| Date | 2025-02-10 17:31:55 |
| Information |
|
Technical Summary
Zyxel VMG4325-B10A routers are shipped with multiple default accounts, including:
supervisor:zyad1234admin:1234zyuser:1234
These credentials are stored in /etc/default.cfg but are not visible through the web interface, making them easily overlooked by administrators. The supervisor account has undocumented Telnet privileges, which grant access to hidden commands such as sh, providing a fully interactive shell. Although the zyuser account does not have direct access to these commands, it can still execute arbitrary code by exploiting CVE-2024-40891.
An attacker aware of these credentials can:
- Establish a Telnet session using the
zyuseraccount. - Exploit CVE-2024-40891 by injecting commands through improperly sanitized input.
- Gain full system access, allowing for data exfiltration, firmware manipulation, or the deployment of persistent malware.
Recommendations
To mitigate the risks associated with CVE-2025-0890, organizations should immediately adopt the following actions:
Disable Telnet access:
- If Telnet is not required, disable it to prevent unauthorized remote access.
Change default credentials:
- Immediately change the passwords for the
supervisor,admin, andzyuseraccounts to strong, unique passwords. - If possible, remove or disable unnecessary accounts.
- Immediately change the passwords for the
Apply firmware updates:
- Check for and apply any firmware updates provided by Zyxel that address this vulnerability.
- In the absence of a patch, consider replacing the affected devices with more secure alternatives.
Monitor network activity:
- Implement logging and anomaly detection to identify unauthorized access attempts.
- Use tools like GreyNoise to monitor exploitation trends related to this vulnerability.
Limit remote access:
- If remote management is necessary, restrict it to trusted IP addresses and use VPNs instead of exposing services directly to the Internet.
[Callforaction-THREAT-Footer]
