Zyxel has issued a security advisory warning that it has no intention to address several actively exploited vulnerabilities in its CPE (Customer Premises Equipment) Series devices reported last month.
According to network scanning engines such as FOFA and Censys, over 1,500 Zyxel CPE Series devices remain exposed to the internet.
The flaws could allow attackers to gain unauthorized access to networks by exploiting two major vulnerabilities. The vulnerabilities affect several end-of-life (EoL) models that Zyxel stopped supporting years ago.
CVE-2024-40891 – The vulnerability stems from improper validation of Telnet commands in the libcms_cli.so library. Authenticated users can exploit this flaw by passing unchecked commands (e.g., ifconfig, ping, tftp) to a shell execution function, which can lead to arbitrary code execution using shell metacharacters. This allows attackers to execute malicious code on the affected devices.
CVE-2025-0890 – A second vulnerability involves the use of weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234) on the impacted devices. Many users fail to change these default login details, leaving their devices exposed to attack. Notably, the supervisor account has hidden privileges, providing attackers with full system access. Additionally, the zyuser account can be leveraged in conjunction with CVE-2024-40891 to execute remote code.
In addition to the two above flaws, the advisory mentions a third vulnerability tracked as CVE-2024-40890, a post-authentication command injection issue similar to CVE-2024-40891.
Zyxel confirmed that the affected devices, including models such as VMG1312-B10A, VMG3312-B10A, VMG3926-B10B, and SBG3300, are all legacy products that have long since reached their end-of-life (EoL).
“We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years,” the vendor said. “Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection.”
Separately, the US Cybersecurity and Infrastructure Security Agency (CISA) has added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-45195 (Apache OFBiz Forced Browsing Vulnerability), CVE-2024-29059 (Microsoft .NET Framework Information Disclosure Vulnerability), CVE-2018-9276 (Paessler PRTG Network Monitor OS Command Injection Vulnerability), CVE-2018-19410 (Paessler PRTG Network Monitor Local File Inclusion Vulnerability).
