Full Report
Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild. "Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration," GreyNoise researcher Glenn Thorpe said in an alert
Analysis Summary
# Vulnerability: Active Exploitation of Zyxel CPE Command Injection (Telnet-based)
## CVE Details
- CVE ID: CVE-2024-40891
- CVSS Score: Not explicitly stated, but described as **critical** and similar to CVE-2024-40890 (which is typically high/critical).
- CWE: Command Injection (Inferred from description)
## Affected Systems
- Products: Zyxel CPE Series devices (Customer Premises Equipment)
- Versions: Unpatched versions (Specific versions not listed in the provided text, but the vulnerability is reported as existing in devices identified via Telnet banners).
- Configurations: Devices accessible via Telnet.
## Vulnerability Description
CVE-2024-40891 is a critical **command injection vulnerability** affecting Zyxel CPE Series devices. This flaw allows unauthenticated attackers to execute arbitrary system commands by leveraging service accounts over the **Telnet service**. It is noted as being very similar to CVE-2024-40890, which leveraged an HTTP-based vector. Successful exploitation leads to complete system compromise, data exfiltration, or network infiltration.
## Exploitation
- Status: **Active exploitation in the wild**
- Complexity: Low (Implied by unauthenticated access and successful exploitation evidenced by threat intel)
- Attack Vector: Network (via Telnet)
## Impact
- Confidentiality: High (System compromise, data exfiltration)
- Integrity: High (Arbitrary command execution)
- Availability: High (Complete system compromise)
## Remediation
### Patches
- Zyxel has not yet publicly disclosed available patches, as the vulnerability status is listed as "neither been publicly disclosed nor patched" at the time of the article.
### Workarounds
- Users are advised to **filter traffic** for unusual HTTP requests to Zyxel CPE management interfaces (Note: While the primary flaw is Telnet-based, the text mentions filtering HTTP requests, perhaps referencing its similarity to CVE-2024-40890 or general security advice).
- **Block or restrict external access** to the Telnet service (Port 23) on these devices if possible.
## Detection
- Indicators of Compromise: Observed connections targeting Zyxel CPE management interfaces over Telnet (or HTTP if checking for related activity). Attack attempts have been tracked originating from dozens of IP addresses, many located in Taiwan.
- Detection Methods and Tools: Tools like GreyNoise have published tags to track exploitation attempts (e.g., `zyxel-cpe-cve-2024-40891-command-injection-attempt`). Monitoring Telnet logs for unusual command inputs is recommended.
## References
- Vendor Advisories: None explicitly listed as patched/disclosed by Zyxel in this summary.
- Relevant Links:
- grey-noise-io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891
- vulncheck-com/blog/initial-access-intelligence-july-2024
- censys-io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.telnet.banner%3A+%7B%22VMG1312-B10A%22%2C+%22VMG1312-B10B%22%2C+%22VMG1312-B10E%22%2C+%22VMG1312-B10B%22%2C+%22VMG3312-B10A%22%2C+%22VMG3313-B10A%22%2C+%22VMG3926-B10B%22%2C+%22VMG4325-B10A%22%2C+%22VMG4380-B10A%22%2C+%22VMG8324-B10A%22%2C+%22VMG8924-B10A%22%2C+%22SBG3300%22%2C+%22SBG3500%22%7D