Critical Zero-Day Vulnerability in Zyxel CPE Devices Under Active Exploitation

Cybersecurity experts are raising alarms about a critical zero-day vulnerability affecting Zyxel CPE Series devices, which is currently being actively targeted by attackers.

  Vulnerability Alerts   Jan 29, 2025  Add to Reading List
Critical Zero-Day Vulnerability in Zyxel CPE Devices Under Active Exploitation

Cybersecurity experts are raising alarms about a critical zero-day vulnerability affecting Zyxel CPE Series devices, which is currently being actively targeted by attackers.

According to Glenn Thorpe, a researcher at GreyNoise, threat actors can exploit this flaw—tracked as CVE-2024-40891—to execute arbitrary commands on vulnerable devices. This could lead to full system compromise, data theft, or unauthorized network access. Thorpe’s warning, published Tuesday, highlights the severity of the issue, as no official patch has been released.

Ongoing Attacks and Scope of the Threat

The existence of CVE-2024-40891 was initially reported by VulnCheck in July 2024. Threat intelligence data indicates that attack attempts have been traced to multiple IP addresses, with a significant concentration in Taiwan. Security firm Censys has identified more than 1,500 potentially vulnerable devices exposed online.

GreyNoise researchers noted that CVE-2024-40891 is similar to CVE-2024-40890, with the primary difference being that the former exploits Telnet while the latter leverages HTTP. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts.

VulnCheck has confirmed that it is working through a responsible disclosure process with Zyxel. We have reached out to Zyxel for further comment and will provide updates as new information becomes available.

Mitigation Measures for Zyxel Users

Until an official patch is released, users are urged to implement the following security measures:

  • Monitor Zyxel CPE management interfaces for unusual HTTP requests.
  • Restrict administrative interface access to trusted IP addresses.

Related Threat Activity: SimpleHelp Exploitation

In a separate but related development, cybersecurity firm Arctic Wolf has detected a campaign—beginning January 22, 2025—where attackers gained unauthorized access to devices running SimpleHelp remote desktop software. It remains unclear if these incidents are connected to recently disclosed vulnerabilities in SimpleHelp (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728), which could allow attackers to escalate privileges and upload malicious files.

Security researcher Andres Ramos reported that early signs of compromise included communication between the SimpleHelp client process and an unauthorized SimpleHelp server instance. Attackers also attempted to enumerate accounts and domain details using cmd.exe, with tools like net and nltest. However, the attack was disrupted before further malicious actions could be carried out.

Recommended Actions for Organizations

Organizations using SimpleHelp are strongly advised to update to the latest patched versions to protect against potential threats. Meanwhile, Zyxel users should remain vigilant and implement strict access controls while awaiting an official fix.