CVE-2024-40891: Zyxel Won’t Patch Exploited Flaws in Legacy Devices

Taiwanese networking company Zyxel this week said it is not patching previously disclosed and exploited vulnerabilities in several legacy DSL CPE router products, instead urging customers to replace their impacted devices.

Key Details:

• The exploited vulnerability, CVE-2024-40891, is a command injection bug in the management commands component of certain DSL CPE devices, which could enable authenticated attackers to execute operating system commands on devices via Telnet

• Another previously disclosed flaw, CVE-2024-40890, is a command injection flaw in the CGI program of DSL CPE models. The flaw could enable authenticated attackers to execute operating system commands on impacted devices by sending a crafted HTTP POST request

• Zyxel said that the DSL CPE models impacted by the flaw “are legacy products that have reached end-of-life (EOL) for years” (though as of Feb. 5 they are not listed on Zyxel’s end of life page), and recommended that users replace them with “newer-generation products”

The Background: Zyxel published the security advisory for the vulnerabilities on Feb. 4. The flaws were first disclosed by VulnCheck on July 31, 2024, and GreyNoise published further details about the vulnerabilities on Jan. 28, 2025, saying it had observed exploitation attempts against CVE-2024-40891. 

GreyNoise researchers identified “significant overlap” between the IPs exploiting the flaw and those classified as Mirai, and found that certain Mirai strains included the ability to exploit CVE-2024-40891.

“At this time, the vulnerability is not patched, nor has it been publicly disclosed,” according to Glenn Thorpe with GreyNoise on Jan. 28. “Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration.”

Impacted Models: The following models of Zyxel’s DSL CPE series are impacted: VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500.

Zyxel said the impacted devices are end-of-life, and noted that the WAN access and the Telnet functions are disabled by default. However, Censys is reporting over 1,500 vulnerable devices online. Additionally, some of the impacted legacy models are still available for sale on Amazon, VulnCheck researcher Jacob Baines said in a Tuesday analysis.

Why It Matters: While these flaws exist in legacy devices, they are still significant because hundreds of impacted devices remain exposed online, and CVE-2024-40891 is being utilized in attacks. “Unsupported does not mean unexploited, and this research underscores the lasting impact of insecure legacy devices,” said Baines.

“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers,” Baines said. “The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.”