Zyxel released a warning about critical vulnerabilities in the CPE series, which are actively targeted by hackers. The company announced that it will not be providing security updates and recommended users to replace their devices with newer models. |
Two vulnerabilities were initially discovered by Vulncheck in July 2024, but recent mass attacks have brought them to light. Greynoise reported that attackers have already started exploiting these vulnerabilities. Analysis from FOFA and Censys indicates that over 1,500 vulnerable devices are connected to the Internet, increasing the potential attack surface. |
CVE-2024-40891 (rated 8.8) enables an authenticated user to execute arbitrary commands in Telnet due to the lack of command verification in the LibcMS_Cli.so library. Certain commands are transmitted without proper validation, allowing for the execution of unauthorized code using shell metacharacters. |
CVE-2025-0890 (CVSS rating: 9.8) is associated with weak default credentials (e.g., Admin:1234, Zyuser:1234, Supervisor:Zyad1234) that grant full control over the device. The Supervisor account has concealed privileges giving complete system access, while Zyuser can utilize CVE-2024-40891 for code execution. |
Vulncheck demonstrated the operation of these vulnerabilities on the VMG4325-B10A model with outdated firmware. Despite being |