In recent news, a command-injection vulnerability affecting Zyxel CPE Series devices has caught the attention of threat actors. The vulnerability, identified as CVE-2024-40891, was brought to light by VulnCheck last July. Despite being aware of the issue for over six months, Zyxel has failed to address or acknowledge the vulnerability, leaving users at risk of exploitation.
If successfully exploited, CVE-2024-40891 can enable threat actors to execute arbitrary commands on compromised devices, potentially leading to system compromise, network infiltration, and data breaches. VulnCheck has emphasized the severity of the vulnerability and the urgent need for Zyxel to provide a patch to mitigate the risk.
Collaboration between researchers at GreyNoise and VulnCheck has shed further light on the exploitation of the vulnerability. After extensive investigation, the researchers decided to disclose the issue publicly due to the increasing number of attacks observed in recent weeks. They highlighted the similarities between CVE-2024-40891 and a previously known vulnerability, CVE-2024-40890, both of which allow unauthorized individuals to execute commands through service accounts.
The lack of a patch for CVE-2024-40891 poses a significant threat, with reports indicating over 1,500 vulnerable devices online. Furthermore, botnet operators have capitalized on the vulnerability by incorporating exploits into their malicious code. GreyNoise researchers have linked IPs exploiting the vulnerability to the Mirai botnet, underscoring the potential for large-scale attacks due to the widespread nature of the issue.
In response to the ongoing threat, GreyNoise has advised users to take proactive measures to protect their devices. Recommendations include filtering traffic for suspicious requests to Zyxel CPE management interfaces, monitoring security updates from Zyxel for patch availability, restricting administrative access to trusted IPs, and disabling unused remote management functionalities. These precautionary steps can help mitigate the risk of exploitation until a patch is released.
As the security landscape continues to evolve, it is essential for manufacturers like Zyxel to prioritize timely and effective patching of vulnerabilities to safeguard users and prevent widespread cybersecurity incidents. The urgency of addressing CVE-2024-40891 underscores the importance of proactive security measures and collaboration within the cybersecurity community to protect against emerging threats.