Zyxel has issued a safety advisory about actively exploited flaws in CPE Collection units, warning that it has no plans to concern fixing patches and urging customers to maneuver to actively supported fashions.
VulnCheck found the 2 flaws in July 2024, however final week, GreyNoise reported having seen exploitation makes an attempt within the wild.
In accordance with community scanning engines FOFA and Censys, over 1,500 Zyxel CPE Collection units are uncovered to the web, so the assault floor is critical.
In a brand new submit right now, VulnCheck introduced the complete particulars of the 2 flaws it noticed in assaults geared toward gaining preliminary entry to networks:
- CVE-2024-40891 – Authenticated customers can exploit Telnet command injection on account of improper command validation in libcms_cli.so. Sure instructions (e.g., ifconfig, ping, tftp) are handed unchecked to a shell execution perform, permitting arbitrary code execution utilizing shell metacharacters.
- CVE-2025-0890 – Units use weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234), which many customers do not change. The supervisor account has hidden privileges, granting full system entry, whereas zyuser can exploit CVE-2024-40891 for distant code execution.
Supply: VulnCheck
VulnCheck disclosed the entire exploitation particulars, demonstrating its PoC in opposition to VMG4325-B10A operating firmware model 1.00(AAFR.4)C0_20170615.
Supply: VulnCheck
The researchers warned that regardless of these units not being supported for a few years, they’re nonetheless present in networks worldwide.
“Whereas these techniques are older and seemingly lengthy out of help, they continue to be extremely related on account of their continued use worldwide and the sustained curiosity from attackers,” warned VulnCheck
“The truth that attackers are nonetheless actively exploiting these routers underscores the necessity for consideration, as understanding real-world assaults is essential to efficient safety analysis.”
Zyxel suggests substitute
Zyxel’s newest advisory confirms the vulnerabilities disclosed by VulnCheck right now influence a number of end-of-life (EoL) merchandise.
The seller states that the impacted units reached EoL a number of years again, suggesting their substitute with newer era tools.
“We now have confirmed that the affected fashions reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy merchandise which have reached end-of-life (EOL) for years,” reads Zyxel’s advisory.
“Due to this fact, we strongly advocate that customers exchange them with newer-generation merchandise for optimum safety.”
Zyxel additionally features a third flaw within the advisory, CVE-2024-40890, a post-authentication command injection downside just like CVE-2024-40891.
Curiously, Zyxel claims that though it requested VulnCheck to share an in depth report since final July, they by no means did. As a substitute, they allegedly revealed their write-up with out informing them.
