Zyxel Refuses to Patch Actively Exploited Flaws in Discontinued Routers

February 4, 2025

Zyxel, a network hardware manufacturer, has released a security advisory warning about actively exploited vulnerabilities in its CPE Series devices. The company has stated that it will not be issuing patches for these flaws and has urged users to upgrade to supported models. These vulnerabilities were first identified in July 2024 by a security firm. Recently, another organization reported seeing attempts to exploit these flaws. Network scanning engines FOFA and Censys have found that over 1,500 Zyxel CPE Series devices are exposed on the internet, indicating a large potential attack surface.

The security firm has released full details of the two vulnerabilities, which are being used by threat actors to gain initial access to networks. The firm demonstrated its proof of concept against a VMG4325-B10A device running firmware version 1.00(AAFR.4)C0_20170615. Despite these devices being unsupported for many years, they continue to be used in networks around the world. The security firm warned that 'While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers. The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.'

Zyxel's latest advisory confirms the vulnerabilities disclosed by the security firm today impact multiple end-of-life (EoL) products. The vendor states that the impacted devices reached EoL several years ago and recommends their replacement with newer generation equipment. 'We have confirmed that the affected models reported by the security firm, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years,' reads Zyxel's advisory. 'Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection.'

Zyxel also mentions a third flaw in the advisory, CVE-2024-40890, a post-authentication command injection problem similar to CVE-2024-40891. Interestingly, Zyxel claims that although it asked the security firm to share a detailed report since last July, they never did. Instead, they allegedly published their write-up without informing them.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.