Zyxel, a networking hardware vendor, has made the decision not to patch several of its end-of-life routers that are currently being targeted by attackers exploiting three vulnerabilities. The vulnerabilities, including a zero-day vulnerability known as CVE-2024-40891, are being used in attacks involving the Mirai botnet malware, according to a report from threat intelligence vendor GreyNoise.
In a blog post, Glenn Thorpe, GreyNoise’s senior director of security research, revealed that 1,500 vulnerable devices were identified through a Censys scan and that the post-authentication command injection vulnerability had not been patched or publicly disclosed. Another threat intelligence vendor, VulnCheck, had originally discovered CVE-2024-40891 and shared it with its partners in August 2024. GreyNoise worked with VulnCheck in January to coordinate disclosure and validate its threat research, although no coordination was done with Zyxel due to the high number of attacks.
Zyxel recently published an advisory disclosing three vulnerabilities: CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890. These vulnerabilities include critical post-authentication command injection issues and insecure default credentials that could allow attackers to execute commands on affected devices. While Zyxel maintains that WAN access and the Telnet function are disabled by default on these devices, attacks could still be successful if user-configured passwords are compromised.
The affected router models, which are considered legacy products that have reached end-of-life status for several years, include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, and others. Zyxel has advised customers to replace these older routers with newer-generation models and to take proactive security measures such as disabling remote access and regularly changing passwords.
VulnCheck, the original reporter of the vulnerabilities to Zyxel, released its own advisory highlighting the ongoing relevance of these end-of-life routers despite their age and lack of support. The fact that attackers are actively exploiting these routers underscores the importance of addressing these security issues to prevent further attacks, as noted by VulnCheck CTO Jacob Baines.
Zyxel expressed frustration with VulnCheck’s handling of the situation in a disclosure timeline, citing a lack of detailed reports and communication regarding the vulnerabilities. However, both Zyxel and VulnCheck were contacted for additional comment on the matter.
Overall, the decision not to patch these critical vulnerabilities in end-of-life routers poses a significant risk to users, highlighting the importance of timely disclosure and proactive security measures to mitigate potential attacks. The ongoing exploitation of these vulnerabilities emphasizes the need for vigilance and continued attention to cybersecurity threats in the ever-evolving landscape of network security.