A critical zero-day vulnerability affecting Zyxel CPE (Customer Premises Equipment) devices, tracked as CVE-2024-40891, is currently being actively exploited in the wild. According to GreyNoise Security, this flaw allows unauthenticated remote attackers to execute arbitrary commands via telnet-based command injection, leading to full system compromise.
The vulnerability was first disclosed by VulnCheck on August 1, 2024, but no official patch or advisory has been released by Zyxel as of this writing. Due to a rapid surge in attacks, GreyNoise researchers decided to publish the findings immediately rather than waiting for vendor coordination.
“Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately,” GreyNoise Security said.
CVE-2024-40891 is a telnet-based command injection vulnerability that allows attackers to execute arbitrary commands using service accounts like supervisor and zyuser. This issue is closely related to CVE-2024-40890, another Zyxel vulnerability, but while 40890 is HTTP-based, 40891 exploits the telnet service.
GreyNoise confirmed that over 1,500 vulnerable devices are currently exposed online, making them prime targets for botnets, espionage, and network breaches. “At publication, Censys is reporting over 1,500 vulnerable devices online.”
Attackers scan for open telnet services on vulnerable Zyxel CPE devices. Once found, they:
- Authenticate using backdoor service accounts (e.g., supervisor, zyuser).
- Inject malicious commands via the telnet interface.
- Gain full control over the affected device, allowing them to:
- Steal network credentials and configuration data.
- Deploy Mirai-based botnet malware.
- Conduct DDoS attacks or lateral movement within networks.
“GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891.”
GreyNoise researchers discovered significant overlaps between IPs exploiting CVE-2024-40891 and those associated with Mirai botnet activity. This strongly suggests that some Mirai strains have already incorporated the exploit, enabling mass IoT-based DDoS attacks.
“After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains.”
Given Mirai’s history of infecting IoT and network devices, the potential impact is severe, particularly for home and enterprise network infrastructures reliant on Zyxel hardware.
Since no official patch is available yet, GreyNoise recommends the following urgent mitigation measures:
✅ Monitor for unusual telnet requests – Scan for unauthorized access attempts to Zyxel CPE management interfaces.
✅ Restrict administrative interface access – Limit access to trusted internal IPs only.
✅ Disable unused remote management services – If telnet is not needed, disable it entirely.
✅ Follow Zyxel security advisories – Apply patches immediately once released.
✅ Consider replacing end-of-life devices – If a device is no longer supported by Zyxel, replace it with a newer model.
Related Posts:
- OS Command Injection Vulnerability in Zyxel CPE devices
- GreyNoise Intelligence Uncovers New Internet Noise Storm with Potential China Link and Cryptic “LOVE” Message
- CVE-2024-8956 & CVE-2024-8957: Two Actively Exploited Vulnerabilities in PTZ Cameras
- Hackers are exploiting ownCloud critical vulnerability in the wild
