Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that has remained unpatched since last July.
GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).
Martin Jartelius, CISO at Outpost24 had this to say:
“This is a case where the CVE system has not been efficient. As vendors withhold publishing information and CVEs until they have a solution, organizations are unable to proactively take action and remove critically vulnerable devices.”
“The vulnerability was put in a reserved state in July 2024 and has since remained undisclosed by the vendor, meaning that currently it is also not indexed by sources such as NVD. Many organizations source their vulnerability information from NVD, and even though security researchers and the vendor are aware, customers remain uninformed.”
“If we turn to the vendor and review the available drivers, they have a range of release dates, some dating as old as 2016, others released in spring 2024.”
“It should be noted that the devices are not present on either of the vendors lists of End-Of-Life devices, and the lack of updates addressing the issue is very concerning. Zyxel already prior to this constitutes several of the vulnerabilities listed in the CISA KEVs list, and if the latest two are added, Zyxel will on their own constitute 1% of the total list of Known Exploited Vulnerabilities.”
To say that this isn’t good is an understatement. Hopefully Zyxel decides to address this issue ASAP as the fact that this is being actively exploited isn’t going to end well for anyone using the Zyxel devices. Nor will it end well for Zyxel.
Like this:
Like Loading...
Related
This entry was posted on January 30, 2025 at 11:45 am and is filed under Commentary with tags ZyXEL. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Significant Vulnerability In Zyxel CPE Series Devices Is Being Actively Exploited
Hackers are exploiting a critical command injection vulnerability in Zyxel CPE Series devices that has remained unpatched since last July.
GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online.
CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser).
Martin Jartelius, CISO at Outpost24 had this to say:
“This is a case where the CVE system has not been efficient. As vendors withhold publishing information and CVEs until they have a solution, organizations are unable to proactively take action and remove critically vulnerable devices.”
“The vulnerability was put in a reserved state in July 2024 and has since remained undisclosed by the vendor, meaning that currently it is also not indexed by sources such as NVD. Many organizations source their vulnerability information from NVD, and even though security researchers and the vendor are aware, customers remain uninformed.”
“If we turn to the vendor and review the available drivers, they have a range of release dates, some dating as old as 2016, others released in spring 2024.”
“It should be noted that the devices are not present on either of the vendors lists of End-Of-Life devices, and the lack of updates addressing the issue is very concerning. Zyxel already prior to this constitutes several of the vulnerabilities listed in the CISA KEVs list, and if the latest two are added, Zyxel will on their own constitute 1% of the total list of Known Exploited Vulnerabilities.”
To say that this isn’t good is an understatement. Hopefully Zyxel decides to address this issue ASAP as the fact that this is being actively exploited isn’t going to end well for anyone using the Zyxel devices. Nor will it end well for Zyxel.
Share this:
Like this:
Related
This entry was posted on January 30, 2025 at 11:45 am and is filed under Commentary with tags ZyXEL. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.