Zyxel CPE Devices Face Active Exploitation Due to Unpatched CVE-2024-40891 Vulnerability

Jan 29, 2025Ravie LakshmananVulnerability / Network Security

Researchers in security are warning that a critical zero-day risk that affects Zyxel CPE Series equipment is causing widespread abuse efforts in the wild.

” Attackers can utilize this risk to execute arbitrary orders on affected products, leading to complete system sacrifice, information exfiltration, or network infiltration”, GreyNoise researcher Glenn Thorpe in an alert published Tuesday.

CVE-2024-40891, a crucial order shot vulnerability, has not been publicly exposed or patched. VulnCheck first discovered the spider in July 2024.

Attack efforts have been launched from , according to the risk intelligence firm’s data, with the majority of them occurring in Taiwan. According to Censys, there are more than 1, 500 resilient products online.

” CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Telnet-based while the latter is HTTP-based”, GreyNoise added. ” Both threats allow company accounts to be used by unauthenticated adversaries to execute arbitrary commands.”

VulnCheck’s relationship with the Japanese company is being worked through, VulnCheck told The Hacker News. We reached out to Zyxel for more information, and we’ll upgrade the report as soon as we hear again.

Users are advised to limit administrative program access to trusted IPs and filter prospects for strange HTTP requests to Zyxel CPE administration interfaces in the interim.

Arctic Wolf reported that it had first observed a campaign beginning January 22, 2025 that involved gaining unauthorised access to devices using SimpleHelp remote desktop software as the first entry matrix.

It’s currently not known if the attacks are linked to the exploitation of in the product ( CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728 ) that could allow a bad actor to escalate privileges to administrative users and upload arbitrary files.

Security scientist Andres Ramos that” the first indicators of sacrifice were communications from the consumer process to an illegal SimpleHelp server instance.” ” The threat activity also involved using a command to enumerate accounts and website information. using tools like online and nltest, the executable process is initiated via a SimpleHelp treatment. Because the program was ended before the invasion could advance further, the threat actors were not seen carrying out their actions.

Companies are advised to regularly update their SimpleHelp instances to the most recent, publicly accessible set versions in order to protect against potential risks.

Update

The business reported to the release that there are clear indications that threat actors are attempting to systematically utilize the risk. After finding a” major overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai,” it likewise pointed out that some Mirai malware variations have now added the ability to utilize CVE-2024-40891.

Found this post exciting? Follow us on and Twitter to access more unique information we article.

Leave a Comment