Critical Zero-Day Vulnerability in Zyxel CPE Series Devices Actively Exploited

January 29, 2025

GreyNoise researchers have detected active attempts to exploit a critical zero-day vulnerability, designated as CVE-2024-40891, in Zyxel CPE Series devices. This unpatched command injection issue has not been publicly disclosed yet. The flaw could enable attackers to execute arbitrary commands on the compromised devices, which may lead to device takeover, data theft, or network infiltration.

“CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based.” reads the advisory published by GreyNoise. “Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).”

The vulnerability, CVE-2024-40891, was disclosed on August 1, 2024, but an advisory from the vendor is still pending. GreyNoise researchers worked together with other experts to confirm the detection and tagged the issue on January 21, 2025. Due to the widespread nature of the attacks, the disclosure was made immediately without waiting for vendor coordination.

GreyNoise has observed thousands of attack attempts originating from multiple IP addresses, with the majority of them being located in Taiwan. Censys, a cybersecurity firm, has reported that over 1,500 online devices have been affected by this vulnerability.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed
• CISA Adds Apple's Flaw to Known Exploited Vulnerabilities Catalog
• Hackers Exploit SimpleHelp RMM Software Vulnerabilities to Infiltrate Networks
• Fortinet Patches Zero-Day Vulnerability Allowing Super-Admin Access