A previously undiscovered vulnerability in Zyxel CPE Series devices is being actively targeted by cybercriminals, highlighting the urgent need for a patch. The security flaw, identified as CVE-2024-40891, was initially reported by VulnCheck, a firm specializing in vulnerability intelligence, last July. Despite the passage of six months, Zyxel has not patched or even publicly addressed this issue.

Understanding the Threat

If exploited, the vulnerability could permit attackers to execute arbitrary commands on compromised devices, leading to potential system breaches, network infiltration, and data exposure as noted by VulnCheck. GreyNoise researchers, collaborating with VulnCheck, opted to make this vulnerability known to the public this week due to the high volume of attacks they have monitored.

Comparison with Similar Vulnerabilities

CVE-2024-40891 shares similarities with another issue, tracked as CVE-2024-40890. The key difference between them lies in their attack vectors, one utilizing telnet and the other HTTP. Yet, both vulnerabilities enable unauthenticated attackers to run arbitrary commands using service account roles like "supervisor" or "zyuser."

Potential Impact

The absence of a patch presents a critical risk. Censys, a security research firm, reports over 1,500 devices with this vulnerability are accessible online. GreyNoise also indicates that some botnet operators have incorporated exploits for the bug into their malware, exemplified by certain Mirai botnet strains.

Integration with Mirai Botnet

The research team uncovered significant overlaps in IP addresses targeting CVE-2024-40891 and those associated with Mirai botnets. They confirmed that some variations of the Mirai malware are equipped to exploit this vulnerability, further escalating the threat potential.

Recommendations for Mitigation

Without a current solution, GreyNoise suggests several defensive measures:

  • Filter traffic for unusual requests aimed at Zyxel CPE management interfaces.
  • Regularly check Zyxel's security updates for patch announcements.
  • Limit administrative interface access to trusted IP addresses only.
  • Deactivate any unused remote management functionalities.

Conclusion

This ongoing attack against Zyxel CPE devices underscores the importance of proactive vulnerability management and monitoring. Until a patch is released, users must implement stringent security practices to mitigate potential risks.

The link has been copied!