Pierluigi Paganini January 29, 2025

Experts warn that threat actors are actively exploiting critical zero-day vulnerability, tracked as CVE-2024-40891, in Zyxel CPE Series devices.

GreyNoise researchers are observing active exploitation attempts targeting a zero-day, tracked as CVE-2024-40891, in Zyxel CPE Series devices.

The vulnerability is a command injection issue that remains unpatched and has not yet been publicly disclosed. Attackers can exploit this flaw to execute arbitrary commands on affected devices, potentially resulting in device takeover, data exfiltration, or network infiltration.

“CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based.” reads the advisory published by GreyNoise. “Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).”

VulnCheck disclosed the Zyxel CPE Telnet command injection flaw CVE-2024-40891 on August 1, 2024, but the vendor has yet to publish an advisory. GreyNoise researchers collaborated with VulnCheck to verify the detection and created a tag for the issue on January 21, 2025. Due to widespread attacks, the disclosure was made immediately without vendor coordination.

GreyNoise observed thousands of attack attempts originated from multiple IP addresses, most of them located in Taiwan. Cybersecurity firm Censys reported that more than 1,500 online devices are affected by the vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2024-40891)