Hackers Actively Exploiting Zyxel 0-day Vulnerability to Execute Arbitrary Commands

A significant zero-day vulnerability in Zyxel CPE series devices, identified as CVE-2024-40891, is being actively exploited by attackers.

This vulnerability enables attackers to execute arbitrary commands on affected devices, posing significant risks of system compromise, data theft, and network infiltration.

Over 1,500 infected devices have been discovered to be susceptible to this exploit, according to Censys scans; the vulnerability has not been fixed or publicly disclosed.

Hackers Actively Exploiting Zyxel 0-day

The vulnerability is a command injection flaw in the telnet interface of Zyxel CPE devices. It allows unauthenticated attackers to execute arbitrary commands by exploiting service accounts such as “supervisor” or “zyuser.”

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free 

The command injection vulnerability arises from improper input validation in the telnet management interface of Zyxel CPE devices.

By sending specially crafted telnet requests, attackers can inject and execute arbitrary system commands. This flaw is particularly dangerous because it does not require authentication, making it easy for attackers to exploit without needing valid credentials.

This issue is similar to another vulnerability, CVE-2024-40890, which is based on HTTP rather than telnet. Both vulnerabilities are critical as they bypass authentication mechanisms entirely. Researchers at GreyNoise and VulnCheck have confirmed the exploitation of CVE-2024-40891. 

GreyNoise has observed active exploitation attempts in the wild, while VulnCheck initially disclosed the vulnerability to its partners under the name “Zyxel CPE Telnet Command Injection” on August 1, 2024. 

Despite this disclosure, Zyxel has yet to release an official advisory or patch for this critical issue.

Mitigation and Recommendations

Given the critical nature of this vulnerability and the lack of an official patch, organizations using Zyxel CPE devices should take immediate action:

• Network Monitoring: Filter and monitor traffic for unusual telnet requests targeting Zyxel CPE management interfaces.
• Access Restrictions: Limit administrative interface access to trusted IP addresses only.
• Disable Remote Management: Turn off unused remote management features to reduce attack surfaces.
• Patch Readiness: Regularly check Zyxel’s security advisories for updates and apply patches or mitigations as soon as they are released.
• Device Lifecycle Management: Cease using devices that have reached their end-of-life support period.

Organizations relying on Zyxel CPE devices must act swiftly to mitigate risks while awaiting a formal patch from the vendor.

Cybersecurity experts recommend continuous monitoring and strict access controls to safeguard against potential attacks stemming from this zero-day flaw.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar