Malware researchers at GreyNoise have recently uncovered a zero-day vulnerability in Zyxel CPE devices that is actively being exploited by threat actors. This critical flaw, tracked as CVE-2024-40891, allows attackers to execute arbitrary commands on the affected devices, potentially leading to a complete system compromise.
According to GreyNoise’s analysis, the vulnerability is similar to a previously patched issue, CVE-2024-40890, but differs in the attack vector used. While the older flaw exploited HTTP, the new zero-day leverages Telnet for exploitation. This allows unauthenticated attackers to access high-level service accounts such as “supervisor” or “zyuser” without proper authorization.
Despite the severity of the vulnerability and the potential impact of exploitation, Zyxel has not released any patches or official communication regarding the issue. GreyNoise decided to publicly disclose details of the vulnerability due to its widespread availability since August 2024.
The exploitation of Zyxel vulnerabilities by threat actors is not a new phenomenon. In recent months, groups such as the Helldown ransomware operators have targeted Zyxel firewall weaknesses to gain initial access to networks. These attacks have resulted in credential theft, network compromise, and the installation of unauthorized administrative accounts.
In light of the absence of official fixes, GreyNoise is urging defenders to take immediate action to secure their Zyxel devices. This includes restricting Telnet administrative access to trusted IP ranges, disabling unnecessary remote services, and monitoring network logs for any suspicious activity targeting Zyxel CPE management interfaces.
Additionally, administrators are advised to stay informed about Zyxel’s security advisories and promptly apply any patches as soon as they are released. GreyNoise also recommends discontinuing the use of end-of-life Zyxel devices and checking for any newly created accounts that could indicate a compromise.
The proactive measures outlined by GreyNoise are essential for mitigating the risks posed by the Zyxel zero-day vulnerability. By taking a proactive approach to security and staying vigilant against potential threats, organizations can better protect their networks and data from malicious actors seeking to exploit known vulnerabilities.
In conclusion, the discovery and active exploitation of the zero-day vulnerability in Zyxel CPE devices underscore the ongoing challenges faced by organizations in maintaining the security of their networks. By following best practices and staying informed about emerging threats, organizations can enhance their resilience against cyberattacks and safeguard their critical assets from exploitation.