Description and potential impacts
Security researchers have recently detected active online exploitation of the CVE-2024-40891 vulnerability – exploited as a 0-day – present on DSL CPE devices no longer supported by Zyxel.
This vulnerability – of the “Command Injection” type and with a CVSS v3.1 score of 9.8 – could allow an attacker to execute arbitrary commands (RCE) on target devices, via appropriately crafted Telnet requests. The vulnerability is similar to CVE-2024-40890, which also currently has no patch available, with the only difference that the latter uses the HTTP protocol instead of the Telnet protocol.
Finally, Zyxel has also documented CVE-2025-0890 – of the “Privilege Escalation” type – which could allow an attacker to access the device management interface if the default credentials have not been changed.
For any further information, we recommend consulting the links to the analysis, available in the References section.
Risk
Vulnerability Community Impact Estimate: Critical (81.79)
Type
- Remote Code Execution
- Privilege Escalation
Affected Products and/or Versions
Zyxel DSL CPE: VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500
Mitigation Actions
In line with vendor statements, the reported devices are legacy products that have reached EOL status for several years. In accordance with industry product lifecycle management practices, Zyxel recommends that customers replace such products with next-generation equipment for optimal protection.
References
https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
