Cybersecurity researchers at GreyNoise have detected widespread exploitation of a critical command injection vulnerability (CVE-2024-40891) affecting Zyxel CPE devices. This high-severity security flaw, initially discovered in summer 2023, remains unpatched, leaving thousands of devices exposed to potential attacks.
Understanding the Technical Impact
The vulnerability (CVE-2024-40891) enables unauthorized remote code execution through supervisor and zyuser service accounts without requiring authentication. Unlike its HTTP-based counterpart CVE-2024-40890, this vulnerability specifically targets the Telnet protocol, making it particularly dangerous for devices with exposed Telnet services. Successful exploitation could grant attackers complete control over affected devices.
Global Exposure Assessment
According to Censys analytics platform, more than 1,500 potentially vulnerable Zyxel CPE devices are currently exposed on the internet. The highest concentration of affected devices has been identified in the Philippines, Turkey, United Kingdom, France, and Italy. Security researchers have observed that the majority of exploitation attempts originate from Taiwan-based IP addresses.
Critical Security Measures
In the absence of an official security patch, network administrators should implement the following protective measures:
Immediate Actions Required
1. Deploy IP-based access control lists (ACLs) to block known malicious addresses
2. Implement comprehensive network traffic monitoring focusing on suspicious Telnet activity
3. Restrict administrative interface access through IP whitelisting
4. Disable remote management capabilities where not business-critical
Technical Mitigation Strategies
Network security professionals should consider implementing additional protective layers, including:
– Deployment of network segmentation to isolate vulnerable devices
– Implementation of intrusion detection systems (IDS) configured to detect Telnet exploitation attempts
– Regular security audits to identify and document exposed services
The severity of this vulnerability, combined with active exploitation attempts and the absence of a vendor patch, creates a significant security risk for organizations utilizing Zyxel CPE devices. Network administrators must take immediate action to implement the recommended security controls. Continuous monitoring and rapid response capabilities are essential to protect against potential network compromises through this attack vector.
