Cybersecurity researchers at GreyNoise have detected widespread exploitation of a critical command injection vulnerability (CVE-2024-40891) affecting Zyxel CPE devices. This high-severity security flaw, initially discovered in summer 2023, remains unpatched, leaving thousands of devices exposed to potential attacks.
Unauthenticated Telnet RCE via Service Accounts: CVE-2024-40891 Explained
The vulnerability (CVE-2024-40891) enables unauthorized remote code execution through supervisor and zyuser service accounts without requiring authentication. Unlike its HTTP-based counterpart CVE-2024-40890, this vulnerability specifically targets the Telnet protocol, making it particularly dangerous for devices with exposed Telnet services. Successful exploitation could grant attackers complete control over affected devices.
Global Exposure Assessment
According to Censys analytics platform, more than 1,500 potentially vulnerable Zyxel CPE devices are currently exposed on the internet. The highest concentration of affected devices has been identified in the Philippines, Turkey, United Kingdom, France, and Italy. Security researchers have observed that the majority of exploitation attempts originate from Taiwan-based IP addresses.
Critical Security Measures
In the absence of an official security patch, network administrators should implement the following protective measures:
Immediate Actions for Zyxel CPE Administrators
- Block Telnet port 23 at the network perimeter — deny all inbound Telnet traffic to CPE devices.
- Restrict administrative interface access to whitelisted IP addresses only.
- Disable remote management entirely if it is not operationally required.
- Configure SIEM alerts for Telnet connection attempts from Taiwan-geolocated IPs.
No official Zyxel patch is available. Monitor Zyxel’s security advisory page for updates on CVE-2024-40891.
