Cybersecurity researchers are warning {that a} vital zero-day vulnerability impacting Zyxel CPE Sequence gadgets is seeing lively exploitation makes an attempt within the wild.
“Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration,” GreyNoise researcher Glenn Thorpe stated in an alert printed Tuesday.
The vulnerability in query is CVE-2024-40891, a vital command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was first reported by VulnCheck in July 2024.
Statistics gathered by the risk intelligence agency present that assault makes an attempt have originated from dozens of IP addresses, with a majority of them positioned in Taiwan. Based on Censys, there are greater than 1,500 susceptible gadgets on-line.
“CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Telnet-based while the latter is HTTP-based,” GreyNoise added. “Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts.”
VulnCheck advised The Hacker Information that it is working by its disclosure course of with the Taiwanese firm. We have now reached out to Zyxel for additional remark, and we are going to replace the story if we hear again.
Within the meantime, customers are suggested to filter site visitors for uncommon HTTP requests to Zyxel CPE administration interfaces and prohibit administrative interface entry to trusted IPs.
The event comes as Arctic Wolf reported it noticed a marketing campaign beginning January 22, 2025, that concerned gaining unauthorized entry to gadgets working SimpleHelp distant desktop software program as an preliminary entry vector.
It is at present not recognized if the assaults are linked to the exploitation of lately disclosed safety flaws within the product (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) that might enable a nasty actor to escalate privileges to administrative customers and add arbitrary information.
“The first signs of compromise were communications from the client process to an unapproved SimpleHelp server instance,” safety researcher Andres Ramos stated. “The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further.”
Organizations are strongly suggested to replace their SimpleHelp cases to the newest accessible mounted variations to safe towards potential threats.
