Pierluigi Paganini February 12, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Windows, Zyxel device flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability
• CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
• CVE-2025-21418 Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
• CVE-2025-21391 Microsoft Windows Storage Link Following Vulnerability

The vulnerability CVE-2024-40891 is a command injection issue in Zyxel CPE Series devices that remains unpatched and has not yet been publicly disclosed. Attackers can exploit this flaw to execute arbitrary commands on affected devices, potentially resulting in device takeover, data exfiltration, or network infiltration.

“CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based.” reads the advisory published by GreyNoise. “Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).”

VulnCheck disclosed the Zyxel CPE Telnet command injection flaw CVE-2024-40891 on August 1, 2024, but the vendor has yet to publish an advisory. GreyNoise researchers collaborated with VulnCheck to verify the detection and created a tag for the issue on January 21, 2025. Due to widespread attacks, the disclosure was made immediately without vendor coordination.

GreyNoise observed thousands of attack attempts originated from multiple IP addresses, most of them located in Taiwan. Cybersecurity firm Censys reported that more than 1,500 online devices are affected by the vulnerability.

The vulnerability CVE-2024-40890 is a post-authentication command injection issue in the CGI program of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615. An authenticated attacker could exploit the vulnerability to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.

The two flaws in Microsoft Windows added to the KeV Catalog were addressed with the release of the Microsoft Patch Tuesday security updates for February 2025. The two zero-day flaws are actively exploited in the wild.

The actively exploited vulnerabilities are a Windows Storage Elevation of Privilege Vulnerability (CVE-2025-21391) and Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2025-21418).

CVE-2025-21391 is a Windows Storage privilege escalation flaw exploited in the wild. It allows attackers to delete files and may be paired with code execution for full system takeover.

“An attacker would only be able to delete targeted files on a system.” reads the advisory. “This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.”

CVE-2025-21418 is a Windows Ancillary Function Driver for WinSock privilege escalation flaw. It could allow an authenticated user to run a crafted program to gain SYSTEM privileges, likely paired with code execution for full system takeover.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)