Zyxel has issued a security advisory about actively exploited flaws in CPE Sequence gadgets, warning that it has no plans to subject fixing patches and urging customers to maneuver to actively supported fashions.
VulnCheck found the 2 flaws in July 2024, however final week, GreyNoise reported having seen exploitation makes an attempt within the wild.
In keeping with community scanning engines FOFA and Censys, over 1,500 Zyxel CPE Sequence gadgets are uncovered to the web, so the assault floor is critical.
In a brand new put up right this moment, VulnCheck introduced the complete particulars of the 2 flaws it noticed in assaults aimed toward gaining preliminary entry to networks:
- CVE-2024-40891 – Authenticated customers can exploit Telnet command injection as a consequence of improper command validation in libcms_cli.so. Sure instructions (e.g., ifconfig, ping, tftp) are handed unchecked to a shell execution operate, permitting arbitrary code execution utilizing shell metacharacters.
- CVE-2025-0890 – Units use weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234), which many customers do not change. The supervisor account has hidden privileges, granting full system entry, whereas zyuser can exploit CVE-2024-40891 for distant code execution.
Supply: VulnCheck
VulnCheck disclosed the whole exploitation particulars, demonstrating its PoC in opposition to VMG4325-B10A working firmware model 1.00(AAFR.4)C0_20170615.
Supply: VulnCheck
The researchers warned that regardless of these gadgets now not being supported for a few years, they’re nonetheless present in networks worldwide.
“Whereas these methods are older and seemingly lengthy out of help, they continue to be extremely related as a consequence of their continued use worldwide and the sustained curiosity from attackers,” warned VulnCheck
“The truth that attackers are nonetheless actively exploiting these routers underscores the necessity for consideration, as understanding real-world assaults is essential to efficient security analysis.”
Zyxel suggests alternative
Zyxel’s newest advisory confirms the vulnerabilities disclosed by VulnCheck right this moment affect a number of end-of-life (EoL) merchandise.
The seller states that the impacted gadgets reached EoL a number of years again, suggesting their alternative with newer era tools.
“We’ve got confirmed that the affected fashions reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy merchandise which have reached end-of-life (EOL) for years,” reads Zyxel’s advisory.
“Due to this fact, we strongly suggest that customers change them with newer-generation merchandise for optimum safety.”
Zyxel additionally features a third flaw within the advisory, CVE-2024-40890, a post-authentication command injection downside just like CVE-2024-40891.
Curiously, Zyxel claims that though it requested VulnCheck to share an in depth report since final July, they by no means did. As an alternative, they allegedly printed their write-up with out informing them.
