Zyxel has issued a critical security advisory regarding vulnerabilities in its CPE-series devices, which are actively being exploited by hackers. The company has stated that it does not intend to release security updates and instead advises users to replace affected hardware with newer models.
The two vulnerabilities were initially discovered by VulnCheck in July 2024, but large-scale exploitation has only recently been observed. According to GreyNoise, threat actors have already begun leveraging these flaws in their attacks. Analysis from FOFA and Censys indicates that over 1,500 vulnerable devices are exposed to the internet, significantly expanding the attack surface.
CVE-2024-40891 (CVSS score: 8.8) allows an authenticated user to execute command injections via Telnet due to insufficient validation in the libcms_cli.so library. Certain commands—such as ifconfig, ping, and tftp—are passed unchecked to the shell execution function, enabling arbitrary code execution through shell metacharacters.
CVE-2025-0890 (CVSS score: 9.8) is linked to weak default credentials (e.g., admin:1234, zyuser:1234, supervisor:zyad1234), granting full control over the device. The supervisor account possesses hidden privileges, providing unrestricted system access, while the zyuser account can leverage CVE-2024-40891 for remote code execution.
VulnCheck has published a proof of concept demonstrating the exploitation of these vulnerabilities on the VMG4325-B10A model running outdated firmware. Despite these devices having long been discontinued, they remain in use across both corporate and residential networks.
In an official statement, Zyxel acknowledged the existence of these vulnerabilities in multiple models, including the VMG1312-B10A, VMG3312-B10A, and VMG4380-B10A, among others. However, the company emphasized that all affected devices are obsolete and no longer supported, urging users to transition to modern alternatives.
Beyond the two vulnerabilities identified by VulnCheck, Zyxel has also confirmed CVE-2024-40890 (CVSS score: 8.8), another command execution flaw post-authentication, similar in nature to CVE-2024-40891. Nevertheless, the company has no plans to issue a patch.
Shortly after the report’s publication, Zyxel stated that it had attempted to obtain detailed information from VulnCheck as early as July, but the researchers did not provide a full disclosure. Meanwhile, the vulnerabilities continue to be actively exploited, leaving users without an official security fix.
