Skip to main content
close search
site logo

Attackers exploit zero-day vulnerability in Zyxel CPE devices

Researchers say the manufacturer has yet to publicly disclose or patch the flaw.

Published Jan. 29, 2025
David Jones's headshot
Reporter
An image of a digital lock is shown
Just_Super via Getty Images

Threat actors are exploiting a zero-day vulnerability in Zyxel CPE Series devices months after the security flaw was originally reported to the company, researchers at GreyNoise disclosed in a blog post Tuesday.

The critical command-injection vulnerability, tracked as CVE-2024-40891, allows an attacker to execute arbitrary commands on a CPE Series device, which can lead to exfiltration of data, infiltration of a computer network or total system compromise. 

“Due to GreyNoise’s first-hand, confirmed mass exploitation attempts for this vulnerability, we chose to disclose this to raise awareness among those who may be impacted,” a spokesperson for GreyNoise said via email. “All decisions to move forward were made in conjunction with VulnCheck and its policies.”

Researchers at VulnCheck originally reported the vulnerability to Zyxel in August 2024, but the vendor has yet to officially publish a CVE or publicly disclose the flaw, according to the blog post. There is no patch for the issue at this time, and Censys data shows up to 1,500 devices are exposed.  

Censys said it has high confidence the devices are online and potentially match the vulnerability, but does not yet have information on confirmed vulnerable versions or any confirmed information from the National Vulnerability Database.

Last week, GreyNoise and VulnCheck researchers joined forces to confirm the scope of the attack activity, according to the blog post. 

VulnCheck researchers are “working through their disclosure process with Zyxel and will be sharing more details next week,” a spokesperson for VulnCheck said via email. 

GreyNoise researchers, meanwhile, said the flaw is similar to another vulnerability, CVE-2024-40890, based on observed authentication and command injection attempts.The major difference is CVE-2024-40891 is telnet-based and CVE-2024-40890 is HTTP-based, according to GreyNoise. 

In early December the Cybersecurity and Infrastructure Security Agency and German authorities warned of a directory traversal vulnerability in Zyxel firewalls being exploited to deploy Helldown ransomware. That vulnerability was tracked as CVE-2024-11667.

A spokesperson for Zyxel was not immediately available for comment. 

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
c/side's New PCI DSS Dashboard Covers Third-Party Web Script Security
From c/side
January 29, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.