InfoSecBulletin Cybersecurity for mankind
Security researchers have alerted about ongoing exploitation attempts of a newly found zero-day command injection vulnerability in Zyxel CPE Series devices, known as CVE-2024-40891. The critical, unpatched vulnerability has left more than 1,500 devices worldwide at risk, according to Censys.
About the Vulnerability – CVE-2024-40891:
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
ChatGPT Develops Exploit for CVEs Before Public PoCs Share
TP-Link Router Vulns Allow to Execute Malicious SQL Commands
SSL.com’s domain validation system’s bug found: Hacker exploited
Amazon Follows Microsoft’s Lead, Halts Some Data Center Deals
Hackers Exploit Zoom’s Remote Control Feature for System Access
CVE-2024-40891 is a vulnerability that lets attackers run commands on systems without needing to log in, using accounts like “supervisor” or “zyuser.” This could allow attackers to take control of the system and steal data.
The vulnerability CVE-2024-40891 is similar to CVE-2024-40890, which was an HTTP-based issue, but it uses telnet as the attack vector.
GreyNoise security researchers have confirmed that this vulnerability is being actively exploited. Exploitation attempts appeared shortly after VulnCheck disclosed the vulnerability to select security partners on August 1, 2024.
Zyxel has not yet addressed the vulnerability with an official advisory or firmware update.
Exploitation Observed and Response:
GreyNoise and VulnCheck have been tracking malicious traffic associated with CVE-2024-40891 since January 21, 2025. Exploitation patterns and attacker IPs are now being tracked in real-time. Due to the high volume of attacks, security researchers chose to disclose this information publicly so organizations can act quickly to defend themselves.
This situation highlights the risks of zero-day vulnerabilities, especially in commonly used internet-facing devices like Zyxel’s CPE Series. Attackers can gain full control of affected devices through this flaw, posing a serious risk for organizations that rely on them.
Organizations using Zyxel CPE Series devices should take the following steps immediately:
Network Monitoring: Monitor network traffic for unusual telnet activity on Zyxel CPE management interfaces.
Access Controls: Limit admin access to trusted IP addresses and disable unused remote management features.
Vendor Updates: Keep an eye out for Zyxel security updates and apply them immediately.
EOL Devices: Decommission any devices that are no longer supported to reduce risks.
The cybersecurity community is urging Zyxel to release a patch quickly to address this vulnerability. In the meantime, organizations should take precautions to protect their networks.
