Hackers are actively exploiting a critical command injection vulnerability in Zyxel CPE Series devices, tracked as CVE-2024-40891, which has remained unpatched since its discovery last July.
The flaw allows unauthenticated attackers to execute arbitrary commands via the vulnerable devices’ ‘supervisor’ or ‘zyuser’ service accounts. Zyxel has yet to issue a security advisory or patch for CVE-2024-40891.
Cyber threat monitoring platform GreyNoise has recently reported an increase in exploitation activity against CVE-2024-40891. The platform noted that the exploitation attempts have originated from multiple unique IP addresses, suggesting widespread attempts to compromise vulnerable devices.
GreyNoise said that CVE-2024-40891 is based on the telnet protocol, in contrast to a similar vulnerability, CVE-2024-40890, which is HTTP-based.
“GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891,” the company said. “At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration.”
A Censys scan of internet-exposed devices revealed that over 1,500 Zyxel CPE Series devices are vulnerable and accessible online. A majority of these devices are located in the Philippines, Turkey, the United Kingdom, France, and Italy.