Zyxel gave a security advice on actively used defects in the CPE series devices, warning that there are not any plans to publish corrections and inspiring users to maneuver to actively supported models.
Vulncheck discovered two disadvantages in July 2024, but last week Greynoise announced that he saw attempts to take advantage of in the wild.
According to FOFA scanning networks and universal lists, over 1,500 CPE Zyxel series devices are exposed to the Internet, so the attack area is critical.
In today’s recent post, Vulncheck presented the full details of two defects, which he observed in attacks aimed at gaining initial access to the network:
- Cve-2024-40891 – Authenticated users can use the Telnet injection injection attributable to the improper checking of the correctness of the command at libcms_clli.so. Some commands (e.g. IFCONFIG, PING, TFTP) are transmitted not to the coating function, enabling any code to be performed with the SPEEK. Metachary.
- Cve-2025-0890 – Devices use weak default certificates (Administrator: 1234, Zyuser: 1234, Supervisor: Zyad1234), whose many users do not change. The postponed account has hidden privileges, providing full system access, while Zyuser can use the CVE-2024-40891 to perform a distant code.

Vulncheck revealed full exploitation details, showing its POC against VMG4325-B10A Loading firmware in version 1.00 (Aafr.4) C0_20170615.

Scientists have warned that despite the incontrovertible fact that these devices are not any longer supported for a few years, they’re still in networks around the world.
“While these systems are older and seemingly long, they remain very important due to their further use around the world and permanent interest of attackers” Warned Vulncheck
“The fact that the attackers still actively use these routers emphasize the need for attention, because understanding attacks in the real world is crucial for effective security research.”
Zyxel suggests alternative
The latest Zyxel advisor confirms the vulnerability revealed by Vulncheck today affect many products at the end of life (EOL).
The seller states that the affected devices reached EOL a number of years ago, suggesting them to exchange them with newer generated equipment.
“We confirmed that the affected models reported by Vulncheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG33313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A , VMG832424-B10A, VMG8324-B10A B10A, SBG3300 and SBG3500 are older products that have reached the end of life for years (EOL) ” Reads Zyxel’s advice.
“Therefore, we strongly recommend that users replace them with new generation products for optimal protection.”
Zyxel also accommodates the third drawback in the advisor, CVE-2024-40890The problem of injecting the command after authentic much like the CVE-2014-40891.
Interestingly, Zyxel claims that although he asked Vulncheck to divide an in depth report since July last yr, never. Instead, they allegedly published their article without informing them.