43/68 Friday, January 31, 2025
Cybersecurity researchers have issued a warning about a critical zero-day vulnerability affecting Zyxel CPE Series devices, which are currently under heavy attack. The vulnerability, identified as CVE-2024-40891, is an unpatched command injection flaw that could allow attackers to execute arbitrary commands on affected devices. This could lead to system breaches, data theft, or network infiltration with ease.
Glenn Thorpe, a researcher at GreyNoise, stated that CVE-2024-40891 is similar to CVE-2024-40890, which was discovered earlier. The primary difference is that CVE-2024-40891 exploits HTTP as an attack vector, whereas CVE-2024-40890 uses Telnet. Both vulnerabilities enable unauthenticated attackers to execute arbitrary commands via service accounts. According to analysis from GreyNoise and Censys, more than 1,500 Zyxel CPE devices are currently online and at risk of being exploited. Most attack attempts originate from IP addresses in Taiwan, suggesting a targeted attack campaign.
As no official patch is available yet, researchers recommend immediate mitigation measures, including filtering HTTP traffic for unusual requests targeting Zyxel CPE management interfaces and restricting administrative interface access to trusted IPs only. Additionally, other security flaws (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) have recently been disclosed in various Zyxel products. These vulnerabilities could allow attackers to escalate privileges to an administrator level and arbitrarily upload files. However, it remains unclear whether these attacks are interconnected.
Source https://thehackernews.com/2025/01/zyxel-cpe-devices-face-active.html
