Zyxel has issued a security advisory regarding serious vulnerabilities in its CPE Series devices, confirming that the flaws are being actively exploited. However, the company has made it clear that no security patches will be released, urging users to replace the affected models with newer hardware.
Exploits in the Wild: Security Firms Sound the Alarm
The security vulnerabilities were first discovered by VulnCheck in July 2024, but it wasn’t until last week that GreyNoise confirmed exploitation attempts in real-world attacks. That escalation has now led to Zyxel stepping forward with a public warning.
According to data from network scanning platforms FOFA and Censys, more than 1,500 Zyxel CPE Series devices are currently exposed to the internet. That leaves a substantial number of systems vulnerable to attack, with security experts noting that hackers are actively scanning for and attempting to exploit these weaknesses.
The Flaws: What Makes These Devices a Target?
VulnCheck’s latest report provides a detailed breakdown of two critical vulnerabilities being used by attackers to gain initial access to networks:
CVE-2024-40891 – This vulnerability allows authenticated users to exploit Telnet command injection due to improper command validation in libcms_cli.so
. Commands such as ifconfig
, ping
, and tftp
are passed unchecked to a shell execution function, enabling arbitrary code execution through shell metacharacters.
CVE-2025-0890 – Many Zyxel devices use weak default credentials (admin:1234
, zyuser:1234
, supervisor:zyad1234
), which users often fail to change. The hidden supervisor account provides full system access, while the zyuser
account can be used in combination with CVE-2024-40891 to execute remote code.
VulnCheck has demonstrated a proof-of-concept (PoC) attack against the VMG4325-B10A running firmware 1.00(AAFR.4)C0_20170615, proving the vulnerabilities are real and exploitable.
Legacy Devices, No Fixes: Zyxel Recommends Replacements
Zyxel has confirmed that the vulnerabilities affect multiple end-of-life (EoL) products, meaning these devices will not receive patches. The company is advising users to replace outdated hardware rather than expect a fix.
The affected models include:
Affected Zyxel Devices | Status |
---|---|
VMG1312-B10A | EoL |
VMG1312-B10B | EoL |
VMG1312-B10E | EoL |
VMG3312-B10A | EoL |
VMG3313-B10A | EoL |
VMG3926-B10B | EoL |
VMG4325-B10A | EoL |
VMG4380-B10A | EoL |
VMG8324-B10A | EoL |
VMG8924-B10A | EoL |
SBG3300 | EoL |
SBG3500 | EoL |
“We strongly recommend that users replace them with newer-generation products for optimal protection,” Zyxel stated in its advisory.
A Third Flaw Adds to the Concerns
Alongside the previously known vulnerabilities, Zyxel has disclosed another issue:
- CVE-2024-40890 – A post-authentication command injection flaw similar to CVE-2024-40891, further exposing affected devices to attack.
This additional flaw means attackers have even more ways to gain access to networks using these legacy devices.
Tensions Between Zyxel and VulnCheck Over Disclosure
A point of contention has emerged between Zyxel and VulnCheck regarding the disclosure process. Zyxel claims that it had requested detailed information about the vulnerabilities from VulnCheck as early as July 2024, but never received a formal report. Instead, VulnCheck went public with its findings without giving Zyxel prior notification.
Security firms and vendors often clash over responsible disclosure timelines, with researchers arguing that full disclosure raises awareness and forces action, while vendors prefer private reporting to develop patches before hackers take advantage.
Regardless of the dispute, the fact remains: these vulnerabilities are being actively exploited, and users need to take action immediately.
What Should Zyxel CPE Series Users Do Now?
Given that Zyxel has no plans to fix these issues, users of the affected models have limited options. Security experts suggest:
- Replacing outdated Zyxel devices with newer, actively supported models.
- Disabling remote access features such as Telnet and SSH if possible.
- Changing default passwords and ensuring strong, unique credentials.
- Monitoring network traffic for signs of suspicious activity.
With confirmed exploitation in the wild, network administrators using these legacy Zyxel routers should act fast. Hackers are already taking advantage, and without a security patch, the risks will only grow.