Zero-Day Vulnerability in Zyxel CPE Devices: A Growing Threat

A Command-Injection Vulnerability in Zyxel CPE Series Devices

A command-injection vulnerability in Zyxel CPE Series devices is being targeted by threat actors, and there’s no patch available. The bug, tracked as CVE-2024-40891, was first discovered by VulnCheck, a vulnerability intelligence firm, and disclosed to the vendor last July. Half a year later, Zyxel has yet to fix or even mention the vulnerability.

Potential Risks and Consequences

If successfully exploited, CVE-2024-40891 could allow threat actors to execute arbitrary commands on infected devices, ultimately potentially leading to system compromise, network infiltration, and data leaks, according to VulnCheck.

Public Disclosure of the Vulnerability

Researchers at GreyNoise have been coordinating with the researchers at VulnCheck regarding exploitation of the vulnerability, and decided to disclose it publicly this week due to the "large number of attacks" they have been observing.

Similarity to a Known Issue

CVE-2024-40891 is very similar to a known issue tracked as CVE-2024-40890, with the primary difference between the two being one is telnet-based and the other HTTP-based. Both, however, allow unauthenticated attackers to execute arbitrary commands using service accounts, whether in the "supervisor" or "zyuser" roles.

Lack of Patch and Growing Threat

The lack of a patch could be a significant issue: Censys is reporting more than 1,500 vulnerable devices online, and it looks like some botnet operators have built exploits for the bug into their code, according to GreyNoise.

Mirai Botnet Connection

"After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains," the researchers noted.

Recommendations for Users

Since there is no current fix, GreyNoise recommended that users filter traffic for unusual requests to Zyxel CPE management interfaces, monitor Zyxel’s security updates to be aware if a patch is made available, restrict administrative interface access to trusted IPs, and disable unused remote management features.