Zyxel, a Taiwanese leader in networking equipment, has warned about two zero-day vulnerabilities in its legacy DSL CPE products. The company confirmed that these flaws, CVE-2024-40891 and CVE-2024-40890, will not receive patches. As a result, thousands of devices remain exposed to potential cyberattacks.
This warning follows a report from GreyNoise, a threat intelligence firm. It revealed that over 1,500 devices are at risk due to an active exploitation campaign by a Mirai-based botnet. Zyxel explained that the affected devices have not received updates for years, and no further patches will be issued.
What Are the Vulnerabilities?
The vulnerabilities, CVE-2024-40891 and CVE-2024-40890, allow attackers to execute arbitrary commands on affected devices. These flaws can lead to system takeover and data exfiltration, compromising entire networks. CVE-2024-40891 is exploitable via HTTP, while CVE-2024-40890 can be exploited through Telnet.
GreyNoise confirmed that Mirai botnet strains have integrated these exploits, using them to hijack vulnerable devices. Mirai is notorious for creating large-scale botnets that carry out DDoS attacks.
Affected Zyxel Devices
Several Zyxel DSL CPE models are vulnerable to these exploits, including:
- VMG1312-B10A, VMG1312-B10B, VMG1312-B10E
- VMG3312-B10A, VMG3313-B10A
- VMG3926-B10B, VMG4325-B10A, VMG4380-B10A
- VMG8324-B10A, VMG8924-B10A
- SBG3300, SBG3500
Zyxel clarified that WAN access and the Telnet function are disabled by default on these devices. However, attackers still need compromised login credentials to exploit the flaws.
Why No Patch Will Be Released
Zyxel stated that the affected devices are legacy models. They reached End-of-Life (EOL) status years ago, meaning the company no longer supports them. Therefore, Zyxel has decided not to release patches for these vulnerabilities. This also applies to CVE-2025-0890, a newly discovered vulnerability that allows attackers to log into the management interface using default credentials.
The Role of Default Credentials
The vulnerabilities also stem from the use of hardcoded default credentials in these devices. The accounts include:
- supervisor (with hidden command access in Telnet)
- admin
- zyuser (with elevated privileges, enabling remote code execution)
If users do not update these credentials, attackers can easily exploit the flaws.
The Growing Risk of Exposed Devices
Despite being outdated, many Zyxel devices remain online. The combination of insecure default credentials and command injection vulnerabilities makes them easy targets for attackers. VulnCheck, which discovered the vulnerabilities, warned about the dangers of insecure configurations in legacy devices.
Zyxel’s Response and Advice
Zyxel acknowledged the severity of the situation. However, due to the legacy nature of the affected devices, no patches will be issued. The company recommends that customers replace their legacy products with newer, supported devices.
