Zyxel has issued a security advisory about actively exploited flaws in CPE Series devices, warning that it has no plans to issue fixing patches and urging users to move to actively supported models.
VulnCheck discovered the two flaws in July 2024, but last week, GreyNoise reported having seen exploitation attempts in the wild.
According to network scanning engines FOFA and Censys, over 1,500 Zyxel CPE Series devices are exposed to the internet, so the attack surface is significant.
In a new post today, VulnCheck presented the full details of the two flaws it observed in attacks aimed at gaining initial access to networks:
- CVE-2024-40891 – Authenticated users can exploit Telnet command injection due to improper command validation in libcms_cli.so. Certain commands (e.g., ifconfig, ping, tftp) are passed unchecked to a shell execution function, allowing arbitrary code execution using shell metacharacters.
- CVE-2025-0890 – Devices use weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234), which many users don’t change. The supervisor account has hidden privileges, granting full system access, while zyuser can exploit CVE-2024-40891 for remote code execution.
VulnCheck disclosed the complete exploitation details, demonstrating its PoC against VMG4325-B10A running firmware version 1.00(AAFR.4)C0_20170615.
The researchers warned that despite these devices no longer being supported for many years, they are still found in networks worldwide.
“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers,” warned VulnCheck
“The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.”
Zyxel suggests replacement
Zyxel’s latest advisory confirms the vulnerabilities disclosed by VulnCheck today impact multiple end-of-life (EoL) products.
The vendor states that the impacted devices reached EoL several years back, suggesting their replacement with newer generation equipment.
“We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years,” reads Zyxel’s advisory.
“Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection.”
Zyxel also includes a third flaw in the advisory, CVE-2024-40890, a post-authentication command injection problem similar to CVE-2024-40891.
Interestingly, Zyxel claims that although it asked VulnCheck to share a detailed report since last July, they never did. Instead, they allegedly published their write-up without informing them.
