Hackers Exploit New Zyxel Vulnerability to Execute Arbitrary Commands Remotely

As cybersecurity threats become increasingly complex, network devices from various companies are becoming prime targets for hackers. According to recent reports, a new zero-day vulnerability has been discovered in Zyxel CPE series devices. This vulnerability, registered as CVE-2024-40891, is currently being actively exploited by attackers.

This security flaw allows attackers to execute arbitrary commands on affected devices, posing severe risks such as system compromise, data theft, and network security breaches.

Security researchers have identified that over 1,500 devices are vulnerable to this exploit, and, as of now, the issue has not been officially disclosed or patched.

According to analysts, CVE-2024-40891 stems from a command injection vulnerability in the Telnet interface of Zyxel CPE devices.

🔴 Attackers gain access using service accounts such as “supervisor” or “zyuser” to connect to the device and execute malicious commands.

🔴 The flaw arises due to improper input validation in the Telnet management interface, allowing attackers to send specially crafted Telnet requests to execute arbitrary system commands.

This vulnerability is particularly dangerous because it completely bypasses authentication, meaning attackers do not need valid credentials or passwords to exploit the system.

Additionally, a similar vulnerability, CVE-2024-40890, has been identified, which is exploited via HTTP, whereas CVE-2024-40891 operates through Telnet. Both vulnerabilities pose critical risks by enabling attackers to gain full control over affected devices.

Researchers from GreyNoise and VulnCheck have confirmed that CVE-2024-40891 is being actively exploited.

🔎 GreyNoise is tracking real-time attempts to exploit the vulnerability.
🔎 VulnCheck reported the vulnerability to its partners on August 1, 2024, identifying it as “Zyxel CPE Telnet Command Injection”.

Despite the severity of the issue, Zyxel has not yet released an official statement or security patch to address the vulnerability.

Given the critical nature of CVE-2024-40891 and the lack of an official fix, organizations must take immediate action:

✅ Monitor network traffic: Track suspicious activity directed toward the Telnet management interface of Zyxel CPE devices.

✅ Restrict access: Allow access to the Telnet management interface only from trusted IP addresses.

✅ Disable remote management: If Telnet or other remote administration features are not in use, they should be immediately disabled.

✅ Stay updated: Regularly check Zyxel’s official sources for security updates and apply patches as soon as they are released.

✅ Device lifecycle management: Discontinue the use of devices that no longer receive updates or security fixes.

CVE-2024-40891 poses a serious threat, as it is already being actively exploited by hackers. Since authentication is not required, attackers can execute arbitrary commands remotely without needing valid credentials.

Organizations and users relying on Zyxel CPE devices must take urgent security measures, such as monitoring unauthorized traffic and disabling Telnet access whenever possible.

If Zyxel releases an official patch, it should be installed immediately, as cybercriminals are already exploiting this vulnerability in real-world attacks.

🔎 Cybersecurity must always be a priority!