- Security researchers warn of two Zyxel flaws being abused in the wild
- The manufacturer confirmed the findings but said the devices are no longer supported
- Users are advised to migrate to newer models
Zyxel has acknowledged a number of security issues with some of its most popular routers, but says it won’t be issuing any patches due to the devices reaching their end-of-life.
Security researchers first discovered two vulnerabilities in a number of Zyxel’s internet-connected devices in summer 2024, and warned earlier this month that the flaws are being exploited in the wild.
In a newly released security advisory, the Taiwanese networking gear manufacturer acknowledged the flaws, and the fact that they’re being abused in the wild, but stressed that the vulnerable devices are past their end-of-life date and thus are no longer supported. Instead, users should migrate to newer, still supported devices.
Wide attack surface
The two vulnerabilities are tracked as CVE-2024-40891 (improper command validation), and CVE-2025-0890 (weak default credentials flaw).
“Zyxel recently became aware of CVE-2024-40890 and CVE-2024-40891 being mentioned in a post on GreyNoise’s blog.
Additionally, VulnCheck informed us that they will publish the technical details regarding CVE-2024-40891 and CVE-2025-0890 on their blog. We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years.
Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection,” Zyxel said in the advisory.
In its writeup, BleepingComputer says that both FOFA and Censys are showing more than 1,500 Zyxel CPE Series devices exposed to the internet, suggesting that the attack surface is “significant”. At the same time, VulnCheck also shared a proof-of-concept (PoC) against VMG4325-B10A running firmware version 1.00(AAFR.4)C0_20170615, showing that the attack is more than just theoretical.
“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers,” VulnCheck said. “The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.”
Leave a comment