Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Zyxel Zero-Day Under Attack, No Patch Available

GreyNoise reports active exploitation of a newly discovered zero-day vulnerability in Zyxel CPE devices. There are no patches available.

Malware hunters at GreyNoise are reporting active exploitation of a newly discovered zero-day vulnerability in Zyxel CPE devices alongside warnings that there are no patches available from the vendor.

GreyNoise, which monitors the internet for malicious activity, described the flaw as a critical command injection issue that opens the door for attackers to gain full system compromise.

The company is tracking the issue as CVE-2024-40891 and cautions that, according to data from Censys, there are more than 1,500 devices currently exposed to exploitation.

According to GreyNoise documentation, the vulnerability is similar to the previously patched CVE-2024-40890, but unlike the older HTTP-based flaw, this new zero-day uses Telnet as an attack vector. 

Both allow unauthenticated attackers to leverage service accounts such as “supervisor” or “zyuser” to gain high-level access, GreyNoise said.

To date, there has been no communication from Zyxel on the issue. GreyNoise said it decided to publish details of the issue ahead of the availability of patches because the issue has been in the public domain since August 2024.

This is not the first time Zyxel vulnerabilities have been abused by threat actors. In recent months, the Helldown ransomware operators and other groups targeted Zyxel firewall weaknesses for initial compromise. 

These attacks have led to credential theft, network infiltration, and installation of rogue admin accounts.

Advertisement. Scroll to continue reading.

In the absence of official fixes, GreyNoise is recommending that defenders immediately restrict Telnet administrative access to trusted IP ranges and disable unnecessary remote services. 

The company also recommends monitoring network logs for unusual traffic aimed at Zyxel CPE management interfaces. Administrators should watch Zyxel’s security advisories for any forthcoming patches, applying them as soon as they become available, GreyNoise said.

GreyNoise is also pushing network defenders to halt the use of end-of-life Zyxel devices and verify there are no newly created accounts that could indicate compromise. 

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: Recent Zyxel Firewall Flaw Exploited in Ransomware Attacks

Related: Zyxel Patches Critical Vulnerabilities in Networking Devices

Related: Recent Zyxel NAS Vulnerability Exploited by Botnet

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.