Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild.
“Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration,” GreyNoise researcher Glenn Thorpe said in an alert published Tuesday.
The vulnerability in question is CVE-2024-40891, a critical command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was first reported by VulnCheck in July 2024.
Statistics gathered by the threat intelligence firm show that attack attempts have originated from dozens of IP addresses, with a majority of them located in Taiwan. According to Censys, there are more than 1,500 vulnerable devices online.
“CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Telnet-based while the latter is HTTP-based,” GreyNoise added. “Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts.”
VulnCheck told The Hacker News that it’s working through its disclosure process with the Taiwanese company. We have reached out to Zyxel for further comment, and we will update the story if we hear back.
In the meantime, users are advised to filter traffic for unusual HTTP requests to Zyxel CPE management interfaces and restrict administrative interface access to trusted IPs.
The development comes as Arctic Wolf reported it observed a campaign starting January 22, 2025, that involved gaining unauthorized access to devices running SimpleHelp remote desktop software as an initial access vector.
It’s currently not known if the attacks are linked to the exploitation of recently disclosed security flaws in the product (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) that could allow a bad actor to escalate privileges to administrative users and upload arbitrary files.
“The first signs of compromise were communications from the client process to an unapproved SimpleHelp server instance,” security researcher Andres Ramos said. “The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further.”
Organizations are strongly advised to update their SimpleHelp instances to the latest available fixed versions to secure against potential threats.
