Zyxel has issued a safety advisory about actively exploited flaws in CPE Sequence units, warning that it has no plans to situation fixing patches and urging customers to maneuver to actively supported fashions.
VulnCheck found the 2 flaws in July 2024, however final week, GreyNoise reported having seen exploitation makes an attempt within the wild.
In response to community scanning engines FOFA and Censys, over 1,500 Zyxel CPE Sequence units are uncovered to the web, so the assault floor is important.
In a brand new put up at this time, VulnCheck offered the complete particulars of the 2 flaws it noticed in assaults geared toward gaining preliminary entry to networks:
- CVE-2024-40891 – Authenticated customers can exploit Telnet command injection as a result of improper command validation in libcms_cli.so. Sure instructions (e.g., ifconfig, ping, tftp) are handed unchecked to a shell execution operate, permitting arbitrary code execution utilizing shell metacharacters.
- CVE-2025-0890 – Units use weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234), which many customers do not change. The supervisor account has hidden privileges, granting full system entry, whereas zyuser can exploit CVE-2024-40891 for distant code execution.
Supply: VulnCheck
VulnCheck disclosed the entire exploitation particulars, demonstrating its PoC in opposition to VMG4325-B10A operating firmware model 1.00(AAFR.4)C0_20170615.
Supply: VulnCheck
The researchers warned that regardless of these units not being supported for a few years, they’re nonetheless present in networks worldwide.
“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers,” warned VulnCheck
“The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.”
Zyxel suggests alternative
Zyxel’s newest advisory confirms the vulnerabilities disclosed by VulnCheck at this time impression a number of end-of-life (EoL) merchandise.
The seller states that the impacted units reached EoL a number of years again, suggesting their alternative with newer era tools.
“We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years,” reads Zyxel’s advisory.
“Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection.”
Zyxel additionally features a third flaw within the advisory, CVE-2024-40890, a post-authentication command injection drawback just like CVE-2024-40891.
Curiously, Zyxel claims that though it requested VulnCheck to share an in depth report since final July, they by no means did. As an alternative, they allegedly revealed their write-up with out informing them.
