CVE-2024-40891 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-02-04

Added to CISA KEV: 2025-02-11 7 DAYS BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
IMMEDIATE: Disconnect affected Zyxel VMG4325-B10A devices from internet exposure and replace with supported hardware
Block external access to device management interfaces through firewall rules
Monitor network traffic for suspicious command execution or unauthorized administrative access
PATCH PRIORITY: CRITICAL - However, this is legacy unsupported hardware requiring replacement rather than patching

CVE-2024-40891 is a post-authentication command injection vulnerability affecting the legacy Zyxel VMG4325-B10A DSL CPE device ^[2] ^[4].

Attack Method: The vulnerability exists in the management commands of the device's firmware and is triggered via the Telnet interface ^[2] ^[4].
Requirements: Exploitation requires the attacker to be authenticated to the device ^[2]. Because many of these legacy devices utilize default credentials, this requirement is often easily bypassed, effectively enabling remote code execution for attackers who can reach the Telnet interface ^[3].
Impact: Successful exploitation allows an attacker to execute arbitrary operating system commands on the affected device, which can lead to complete system compromise, data exfiltration, or further network infiltration ^[1].

Active Exploitation: The vulnerability has been observed being actively exploited in the wild by threat actors, with reports indicating that hackers have leveraged it to target exposed systems ^[1].
Ransomware and Targeted Attacks: While the vulnerability is used for unauthorized access and system compromise, there is no specific information linking it to widespread ransomware campaigns; it is primarily associated with general exploitation of exposed CPE devices ^[1].

Affected Product: Zyxel VMG4325-B10A DSL CPE running firmware version `1.00(AAFR.4)C0_20170615` ^[2] ^[4].
Status: The device is considered "legacy," and the vulnerability is marked as "UNSUPPORTED WHEN ASSIGNED," suggesting that official patches may not be forthcoming for this specific firmware version ^[2]. Users are generally advised to replace end-of-life hardware or ensure that management interfaces (like Telnet) are not exposed to the public internet.

Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024 ...
CVE-2024-40891: Zyxel CPE Zero-day Exploitation. Hackers are actively exploiting a telnet-based command injection vulnerability in Zyxel CPE ... CVE-2024-40891: Zyxel CPE Zero-day Exploitation. Hackers are actively exploiting a telnet-based command injection vulnerability in Zyxel CPE devices, impac…
CVE-2024-40891 Detail - NVD
**UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of the legacy DSL CPE Zyxel VMG4325-B10A firmware ... An official website of the United States government Here's how you know…
CVE-2024-40891 - Exploits & Severity - Feedly
The impact of this vulnerability is significant, with a high severity rating. Successful exploitation could lead to: 1. Execution of arbitrary ... CVE-2024-40891 is a critical authenticated command injection vulnerability in Telnet command processing that allows attackers with user account access to…
CVE-2024-40891 : Command Injection Vulnerability in Zyxel DSL...
CVE-2024-40891 is a command injection vulnerability found in the Zyxel DSL CPE firmware, specifically impacting the VMG4325-B10A model running a legacy firmware version. This vulnerability allows an authenticated attacker to execute arbitrary operating system commands on the affected device through…

🔴 CVE-2024-40891