Unpatched flaw in Zyxel CPE series devices exploited in the wild

Unpatched flaw in Zyxel CPE series devices exploited in the wild

Hackers are actively exploiting a critical command injection vulnerability in Zyxel CPE Series devices, tracked as CVE-2024-40891, which has remained unpatched since its discovery last July.

The flaw allows unauthenticated attackers to execute arbitrary commands via the vulnerable devices’ ‘supervisor’ or ‘zyuser’ service accounts. Zyxel has yet to issue a security advisory or patch for CVE-2024-40891.

Cyber threat monitoring platform GreyNoise has recently reported an increase in exploitation activity against CVE-2024-40891. The platform noted that the exploitation attempts have originated from multiple unique IP addresses, suggesting widespread attempts to compromise vulnerable devices.

GreyNoise said that CVE-2024-40891 is based on the telnet protocol, in contrast to a similar vulnerability, CVE-2024-40890, which is HTTP-based.

“GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891,” the company said. “At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration.”

A Censys scan of internet-exposed devices revealed that over 1,500 Zyxel CPE Series devices are vulnerable and accessible online. A majority of these devices are located in the Philippines, Turkey, the United Kingdom, France, and Italy.


Back to the list

Latest Posts

Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025
Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025