Jan 29, 2025Ravie LakshmananVulnerability / Network Security
Cybersecurity researchers are warning that a critical zero-day vulnerability impacting Zyxel CPE Series devices is seeing active exploitation attempts in the wild.
“Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration,” GreyNoise researcher Glenn Thorpe in an alert published Tuesday.
The vulnerability in question is CVE-2024-40891, a critical command injection vulnerability that has neither been publicly disclosed nor patched. The existence of the bug was by VulnCheck in July 2024.
Statistics gathered by the threat intelligence firm attack attempts have originated from , with a majority of them located in Taiwan. According to Censys, there are more than online.
“CVE-2024-40891 is very similar to CVE-2024-40890, with the main difference being that the former is Telnet-based while the latter is HTTP-based,” GreyNoise added. “Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts.”
VulnCheck told The Hacker News that it’s working through its disclosure process with the Taiwanese company. We have reached out to Zyxel for further comment, and we will update the story if we hear back.
In the meantime, users are advised to filter traffic for unusual HTTP requests to Zyxel CPE management interfaces and restrict administrative interface access to trusted IPs.
The development comes as Arctic Wolf reported it observed a campaign starting January 22, 2025, that involved gaining unauthorized access to devices running SimpleHelp remote desktop software as an initial access vector.
It’s currently not known if the attacks are linked to the exploitation of in the product (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) that could allow a bad actor to escalate privileges to administrative users and upload arbitrary files.
“The first signs of compromise were communications from the client process to an unapproved SimpleHelp server instance,” security researcher Andres Ramos . “The threat activity also involved enumeration of accounts and domain information through a cmd.exe process initiated via a SimpleHelp session, using tools such as net and nltest. The threat actors were not observed acting on objectives because the session was terminated before the attack progressed further.”
Organizations are strongly advised to update their SimpleHelp instances to the latest available fixed versions to secure against potential threats.
Update
The company told the publication there are clear signs that threat actors are attempting to exploit the vulnerability en masse. It also pointed out that some variants have already added the ability to exploit CVE-2024-40891 after identifying a “significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai.”
Found this article interesting? Follow us on and to read more exclusive content we post.