Zyxel has issued a security advisory about actively exploited flaws in CPE Series devices, warning that it has no plans to issue fixing patches and urging users to move to actively supported models.
VulnCheck discovered the two flaws in July 2024, but last week, GreyNoise reported having seen
exploitation attempts in the wild.
According to network scanning engines FOFA and Censys, over 1,500 Zyxel CPE Series devices are exposed to the internet, so the attack surface is significant.
In a new post today, VulnCheck presented the full details of the two flaws it observed in attacks aimed at gaining initial access to networks:
- CVE-2024-40891 – Authenticated users can exploit Telnet command injection due to improper command validation in libcms_cli.so. Certain commands (e.g., ifconfig, ping, tftp) are passed unchecked to a shell execution function, allowing arbitrary code execution using shell metacharacters.
- CVE-2025-0890 – Devices use weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234), which many users don't change. The supervisor account has hidden privileges, granting full system access, while zyuser can exploit CVE-2024-40891 for remote code execution.
