Taiwanese networking gear maker Zyxel on Tuesday suggested that two exploited zero-days in a number of legacy DSL CPE merchandise is not going to be patched.
The discover comes roughly one week after risk intelligence agency GreyNoise warned that greater than 1,500 gadgets are affected by a vital command injection bug actively exploited by a Mirai-based botnet.
“After figuring out a big overlap between IPs exploiting CVE-2024-40891 and people categorized as Mirai, the group investigated a current variant of Mirai and confirmed that the power to take advantage of CVE-2024-40891 has been integrated into some Mirai strains,” GreyNoise stated.
Tracked as CVE-2024-40891, the flaw was initially disclosed in mid-2024 together with CVE-2024-40890, the same command injection problem, with the primary distinction between them being the assault vector: HTTP vs Telnet.
Attackers may exploit these security defects to execute arbitrary instructions on susceptible gadgets for full takeover and information exfiltration, probably compromising the networks the merchandise have been deployed on.
On Tuesday, Zyxel confirmed that the 2 points impression a number of DSL CPE fashions, particularly VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500.
Zyxel additionally notes that the WAN entry and the Telnet perform abused for exploitation are disabled by default on these gadgets, and that an attacker would want to log in to an affected gadget utilizing compromised credentials to take advantage of the bugs.
Based on the seller, as a result of the affected fashions are legacy gadgets for which assist was halted years in the past, no patch will probably be launched for both of the bugs. The identical applies to a newly found vulnerability in these DSL CPE merchandise, tracked as CVE-2025-0890, which permits attackers to log in to the administration interface utilizing default credentials.
VulnCheck, which reported the vulnerabilities to Zyxel, explains that the affected gadgets are provisioned with three hardcoded accounts, particularly ‘supervisor’, ‘admin’, and ‘zyuser’.
The supervisor person account, which isn’t seen through the online interface, has performance within the Telnet interface, together with entry to a hidden command that gives it with unrestricted entry to the system.
The zyuser account, which is seen within the person desk, has elevated privileges, and may be abused to attain full distant code execution through the exploited CVE-2024-40891 vulnerability.
“Whereas these gadgets are growing old and speculated to be out of assist, 1000’s stay uncovered on-line. The mixture of default credentials and command injection makes them simple targets, highlighting the risks of insecure default configurations and poor vulnerability transparency,” VulnCheck says.
Based on Zyxel, VulnCheck reported CVE-2024-40890 and CVE-2024-40891 in July 2024, with out a detailed report, and publicly disclosed the bugs as an alternative. VulnCheck despatched particulars on all three bugs solely after GreyNoise’s in-the-wild exploitation warning final week.
The affected gadgets “are legacy merchandise which have reached EOL standing for a number of years. In accordance with business product life cycle administration practices, Zyxel advises clients to switch these legacy merchandise with newer-generation gear for optimum safety,” the seller warns.
