Skip to main content
close search
site logo
Dive Brief

Exploitation of vulnerability in Zyxel CPE targets legacy routers

Zyxel urged users to replace their old devices with modern, supported versions.

Published Feb. 4, 2025
David Jones's headshot
Reporter
Hooded person types on computer in a dark room with multiple monitors and cables everywhere.
Hooded hacker breaking into corporate data servers from an underground hideout. gorodenkoff via Getty Images

Dive Brief:

  • An actively exploited vulnerability disclosed last week in Zyxel CPE Series devices involves routers that have reached end-of-life status, VulnCheck researchers said in a blog post released Tuesday.
  • Researchers from GreyNoise warned late last month that the vulnerability, tracked as CVE-2024-40891, was under active exploitation and had yet to be patched or formally disclosed by the manufacturer. Researchers later confirmed the ability to exploit CVE-2024-40891 had been incorporated into certain strains of the Mirai botnet. 
  • Zyxel confirmed that vulnerabilities tracked as CVE-2024-40890, CVE-2024-40891 and CVE-2025-0890 impact certain DSL CPE models that have been out of service for years. The company urged users to replace the legacy products with modern, supported versions, according to a bulletin released Tuesday.

Dive Insight:

Researchers from VulnCheck originally disclosed CVE-2024-40891, which is a critical command injection vulnerability, in August 2024. VulnCheck and GreyNoise researchers worked together to confirm the vulnerability; however, GreyNoise revealed the flaw in late January as the manufacturer had not yet made a public disclosure or released a patch. 

The CVE can allow an attacker to execute arbitrary commands. Attackers can engage in various post exploitation activities, including data exfiltration or system compromise. 

VulnCheck researchers had communicated their concerns with Zyxel and were initially expecting some sort of coordinated disclosure. However, Zyxel officials have not made any public disclosure nor have they returned repeated requests for comment. 

“Most of our conversations [with Zyxel] have focused on coordination of public details,” Jacob Baines, CTO of VulnCheck, told Cybersecurity Dive via email. 

Baines said it was unlikely the vendor would be issuing a patch, due to the end-of-life status of the devices.

Most of the routers are residential, but threat groups have exploited various edge devices in recent years to target critical infrastructure using living-off-the-land techniques.

VulnCheck researchers said in the blog post that an authenticated command injection has limited value on its own, but said the devices in question “appear to be provisioned with default accounts.” 

Therefore an identifier has been assigned for the default credentials issue as CVE-2025-0890, which involves the use of insecure default credentials for the Telnet function in legacy DSL CPE VMG4325-B10A firmware.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Americans Growing More Dependent on Digital Services, but Trust in Data Privacy Remains Low, N…
From Upwind
January 28, 2025
c/side's New PCI DSS Dashboard Covers Third-Party Web Script Security
From c/side
January 29, 2025
Moving On IT Gears Up for Explosive Growth in 2025
From Moving On IT | Tomorrow's Technology. Today.
January 22, 2025
DNS4EU Achieves 2024 Milestones in EU Cybersecurity, Public Resolver Launch Set for 2025
From Whalebone
January 21, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.