Zyxel Routers Under Attack: Default Credentials (CVE-2025-0890) and Code Injection (CVE-2024-40891), No Patch!

Security researchers at VulnCheck have identified critical vulnerabilities in Zyxel Customer Premises Equipment (CPE), leaving countless users vulnerable to remote attacks.

These vulnerabilities, which affect a range of Zyxel routers, can be chained together to allow unauthenticated attackers to execute arbitrary code on the affected devices. This essentially grants attackers full control over the routers, enabling them to steal data, launch further attacks, or disrupt internet connectivity.

“The combination of the vulnerabilities allows for unauthenticated code execution via Telnet,” the VulnCheck report warns. This is particularly concerning as Telnet, an older protocol, is known for its lack of security and is generally considered unsafe for internet-facing services.

Worryingly, these vulnerabilities are actively being exploited in the wild. GreyNoise, a cybersecurity firm, has reported observing attackers targeting their honeypot network with these exploits.

Affected Devices

While Zyxel has yet to confirm the full list of affected devices, VulnCheck believes the following models are likely vulnerable:

• VMG1312-B10A
• VMG1312-B10B
• VMG1312-B10E
• VMG3312-B10A
• VMG3313-B10A
• VMG3926-B10B
• VMG4325-B10A
• VMG4380-B10A
• VMG8324-B10A
• VMG8924-B10A
• SBG3300
• SBG3500

These routers, though reportedly end-of-life, are still widely used. Shockingly, some are even available for purchase on Amazon.

Vulnerability Details

The vulnerabilities stem from a combination of issues, including:

• CVE-2024-40891: An authenticated command injection vulnerability in the Telnet service.
• CVE-2025-0890: The presence of default credentials, including the previously documented “supervisor:zyad1234” and a poorly documented “zyuser:1234” account.

The command injection vulnerability allows attackers to execute arbitrary commands on the device if they can authenticate with any user account. The default credentials, unfortunately, provide attackers with the necessary access to exploit this vulnerability.

Urgent Action Needed

Given the severity of these vulnerabilities and the active exploitation, users of Zyxel CPE devices are urged to take immediate action.

Zyxel has confirmed that the affected models are end-of-life and recommends replacing them with newer devices. If replacing the device is not immediately feasible, users should disable Telnet access and ensure no default credentials are in use.

Related Posts:

• Zyxel Devices Targeted by Malicious Actors: Urgent Firmware Update Required
• D-Link DIR845L Static Default Credential Flaw
• Zero-Day Alert: Mirai Botnet Exploiting Unpatched Zyxel CPE Vulnerability (CVE-2024-40891)
• Lenovo Smart Clock Essential’s SSH Hard-Coded Password Vulnerability
• Zyxel Vulnerability Exploited by Helldown Ransomware Group