Zyxel has issued a safety advisory about actively exploited flaws in CPE Collection gadgets, warning that it has no plans to challenge fixing patches and urging customers to maneuver to actively supported fashions.
VulnCheck found the 2 flaws in July 2024, however final week, GreyNoise reported having seen exploitation makes an attempt within the wild.
In line with community scanning engines FOFA and Censys, over 1,500 Zyxel CPE Collection gadgets are uncovered to the web, so the assault floor is critical.
In a brand new put up as we speak, VulnCheck offered the complete particulars of the 2 flaws it noticed in assaults aimed toward gaining preliminary entry to networks:
- CVE-2024-40891 – Authenticated customers can exploit Telnet command injection on account of improper command validation in libcms_cli.so. Sure instructions (e.g., ifconfig, ping, tftp) are handed unchecked to a shell execution operate, permitting arbitrary code execution utilizing shell metacharacters.
- CVE-2025-0890 – Units use weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234), which many customers do not change. The supervisor account has hidden privileges, granting full system entry, whereas zyuser can exploit CVE-2024-40891 for distant code execution.
Supply: VulnCheck
VulnCheck disclosed the entire exploitation particulars, demonstrating its PoC in opposition to VMG4325-B10A working firmware model 1.00(AAFR.4)C0_20170615.
Supply: VulnCheck
The researchers warned that regardless of these gadgets now not being supported for a few years, they’re nonetheless present in networks worldwide.
“Whereas these methods are older and seemingly lengthy out of assist, they continue to be extremely related on account of their continued use worldwide and the sustained curiosity from attackers,” warned VulnCheck
“The truth that attackers are nonetheless actively exploiting these routers underscores the necessity for consideration, as understanding real-world assaults is essential to efficient safety analysis.”
Zyxel suggests alternative
Zyxel’s newest advisory confirms the vulnerabilities disclosed by VulnCheck as we speak affect a number of end-of-life (EoL) merchandise.
The seller states that the impacted gadgets reached EoL a number of years again, suggesting their alternative with newer technology gear.
“We’ve confirmed that the affected fashions reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy merchandise which have reached end-of-life (EOL) for years,” reads Zyxel’s advisory.
“Due to this fact, we strongly advocate that customers exchange them with newer-generation merchandise for optimum safety.”
Zyxel additionally features a third flaw within the advisory, CVE-2024-40890, a post-authentication command injection downside just like CVE-2024-40891.
Curiously, Zyxel claims that though it requested VulnCheck to share an in depth report since final July, they by no means did. As an alternative, they allegedly printed their write-up with out informing them.