Taiwanese hardware maker Zyxel announced that it will not release a patch for two actively exploited vulnerabilities in multiple legacy DSL customer premises equipment (CPE) products. These vulnerabilities, tracked as CVE-2024-40890 and CVE-2024-40891, allow attackers to execute arbitrary commands, leading to potential system compromise and data exfiltration.
Zyxel will not patch critical vulnerabilities in legacy DSL devices
Threat intelligence startup GreyNoise reported in late January that the zero-day vulnerabilities were being actively exploited, including by Mirai-based botnets, suggesting their use in large-scale attacks. Zyxel claims it first became aware of these vulnerabilities on January 29, after GreyNoise’s alert regarding their exploitation.
VulnCheck discovered the vulnerabilities in July 2024 and reported them to Zyxel in August of the same year. However, Zyxel did not disclose the flaws until now, stating that the legacy products impacted have reached end-of-life (EOL) status for several years. The affected models include:
- VMG1312-B10A
- VMG1312-B10B
- VMG1312-B10E
- VMG3312-B10A
- VMG3313-B10A
- VMG3926-B10B
- VMG4325-B10A
- VMG4380-B10A
- VMG8324-B10A
- VMG8924-B10A
- SBG3300
- SBG3500
Zyxel further explained that the WAN access and Telnet functions commonly exploited for these vulnerabilities are disabled by default on these devices; however, an attacker would need to log in using compromised credentials to exploit the bugs. The company noted that because support for these models was halted years ago, it will not provide patches for the vulnerabilities.
VulnCheck indicated that many of the vulnerable devices are still available for purchase, despite Zyxel’s designation of them as legacy products. They also highlighted that the devices utilize hardcoded accounts, making them easy targets for exploitation. Approximately 1,500 vulnerable devices remain exposed to the Internet, according to Censys, a search engine for Internet of Things devices.
In addition to the aforementioned vulnerabilities, Zyxel identified a new vulnerability, CVE-2025-0890, which allows attackers to access the management interface using default credentials. Zyxel’s advice to customers is to replace these legacy products with newer-generation equipment for optimal protection.
Featured image credit: Zyxel
