Malware hunters at GreyNoise are reporting active exploitation of a newly discovered zero-day vulnerability in Zyxel CPE devices alongside warnings that there are no patches available from the vendor.

GreyNoise, which monitors the internet for malicious activity, described the flaw as a critical command injection issue that opens the door for attackers to gain full system compromise.

The company is tracking the issue as CVE-2024-40891 and cautions that, according to data from Censys, there are more than 1,500 devices currently exposed to exploitation.

According to GreyNoise documentation, the vulnerability is similar to the previously patched CVE-2024-40890, but unlike the older HTTP-based flaw, this new zero-day uses Telnet as an attack vector. 

Both allow unauthenticated attackers to leverage service accounts such as “supervisor” or “zyuser” to gain high-level access, GreyNoise said.

To date, there has been no communication from Zyxel on the issue. GreyNoise said it decided to publish details of the issue ahead of the availability of patches because the issue has been in the public domain since August 2024.

This is not the first time Zyxel vulnerabilities have been abused by threat actors. In recent months, the Helldown ransomware operators and other groups targeted Zyxel firewall weaknesses for initial compromise. 

These attacks have led to credential theft, network infiltration, and installation of rogue admin accounts.

In the absence of official fixes, GreyNoise is recommending that defenders immediately restrict Telnet administrative access to trusted IP ranges and disable unnecessary remote services. 

The company also recommends monitoring network logs for unusual traffic aimed at Zyxel CPE management interfaces. Administrators should watch Zyxel’s security advisories for any forthcoming patches, applying them as soon as they become available, GreyNoise said.

GreyNoise is also pushing network defenders to halt the use of end-of-life Zyxel devices and verify there are no newly created accounts that could indicate compromise. 

Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

Related: Recent Zyxel Firewall Flaw Exploited in Ransomware Attacks

Related: Zyxel Patches Critical Vulnerabilities in Networking Devices

Related: Recent Zyxel NAS Vulnerability Exploited by Botnet