Summary:
CVE-2024-40891 is a critical command injection vulnerability impacting Zyxel CPE Series devices. The vulnerability was initially disclosed by VulnCheck back in August 1, 2024. However, the vulnerability has not been officially published by Zyxel, nor have patches been released. Security firm Greynoise has observed active exploitation attempts in the wild leveraging the zero-day flaw. Based on telemetry gathered by Greynoise, the attacks have originated from dozens of IP addresses (more than 1000 IPs observed), a majority of which are located in Taiwan, followed by China, Italy, and the United States.


Security Officer Comments:
CVE-2024-40891 can enable unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser), potentially leading to complete system compromise, data exfiltration, or network infiltration. According to a scan conducted by Censys, there are over 1,500 vulnerable devices online. With no patches in sight, this leaves ample opportunity for actors to compromise vulnerable Zyxel CPE Series devices

Suggested Corrections:
It is unclear if patches are going to be released for CVE-2024-40891, given the amount of time that has already passed since the initial disclosure by Vulncheck. In the meantime, Greynoise recommends:

1. Network Monitoring: Filter traffic for unusual telnet requests to Zyxel CPE management interfaces.
2. Patch Readiness: Monitor Zyxel’s security advisories for updates and apply patches or mitigations immediately, if released. Halt the use of devices that have reached end-of-life.
3. Suggested Corrections: Restrict administrative interface access to trusted IPs and disable unused remote management features.

Link(s):
https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891