Security News > 2025 > January > Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)

Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891)
2025-01-29 16:23

CVE-2024-40891, a command injection vulnerability in Zyxel CPE Series telecommunications devices that has yet to be fixed by the manufacturer, is being targeted by attackers, cybersecurity company Greynoise has warned. Successful exploitation would allow attackers to execute arbitrary commands on affected devices, potentially leading to complete system compromise, network infiltration, and data exfiltration. “After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai … More → The post Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) appeared first on Help Net Security.


News URL

https://www.helpnetsecurity.com/2025/01/29/zyxel-cpe-devices-under-attack-vulnerability-cve-2024-40891/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2025-02-04 CVE-2024-40891 OS Command Injection vulnerability in Zyxel products
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device via Telnet.
network
low complexity
zyxel CWE-78
8.8
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zyxel 395 0 74 88 49 211