InfoSecBulletin Cybersecurity for mankind
Security researchers have alerted about ongoing exploitation attempts of a newly found zero-day command injection vulnerability in Zyxel CPE Series devices, known as CVE-2024-40891. The critical, unpatched vulnerability has left more than 1,500 devices worldwide at risk, according to Censys.
About the Vulnerability – CVE-2024-40891:
Cyberattack detected at Polish space agency, minister says
Nearly 12,000 API Keys and Passwords Found in Public Datasets
Android Phone’s Unlocked Using Cellebrite’s Zero-day Exploit
DragonForce Ransomware Targets Saudi Company, 6TB Data Stolen
Microsoft Uncovers Hackers Selling Illegal Azure AI Access
By 2025, India’s First Semiconductor Chip to be ready
CVE-2025-20111
Cisco Warns Vulns in Nexus 3000 and 9000 Series Switches
CVE-2025-0475 & CVE-2025-0555
GitLab’s High-Risk Flaw, Patch Now Urgently!
Botnet Powered by 130,000 Devices Targets Microsoft 365 Accounts
HaveIBeenPwned Added 244 Million Passwords Stolen By Infostealers
CVE-2024-40891 is a vulnerability that lets attackers run commands on systems without needing to log in, using accounts like “supervisor” or “zyuser.” This could allow attackers to take control of the system and steal data.
The vulnerability CVE-2024-40891 is similar to CVE-2024-40890, which was an HTTP-based issue, but it uses telnet as the attack vector.
GreyNoise security researchers have confirmed that this vulnerability is being actively exploited. Exploitation attempts appeared shortly after VulnCheck disclosed the vulnerability to select security partners on August 1, 2024.
Zyxel has not yet addressed the vulnerability with an official advisory or firmware update.
Exploitation Observed and Response:
GreyNoise and VulnCheck have been tracking malicious traffic associated with CVE-2024-40891 since January 21, 2025. Exploitation patterns and attacker IPs are now being tracked in real-time. Due to the high volume of attacks, security researchers chose to disclose this information publicly so organizations can act quickly to defend themselves.
This situation highlights the risks of zero-day vulnerabilities, especially in commonly used internet-facing devices like Zyxel’s CPE Series. Attackers can gain full control of affected devices through this flaw, posing a serious risk for organizations that rely on them.
Organizations using Zyxel CPE Series devices should take the following steps immediately:
Network Monitoring: Monitor network traffic for unusual telnet activity on Zyxel CPE management interfaces.
Access Controls: Limit admin access to trusted IP addresses and disable unused remote management features.
Vendor Updates: Keep an eye out for Zyxel security updates and apply them immediately.
EOL Devices: Decommission any devices that are no longer supported to reduce risks.
The cybersecurity community is urging Zyxel to release a patch quickly to address this vulnerability. In the meantime, organizations should take precautions to protect their networks.
