Taiwanese networking equipment maker Zyxel on Tuesday advised that a couple of exploited zero-days in multiple legacy DSL CPE products will not be patched.

The notice comes roughly one week after threat intelligence firm GreyNoise warned that more than 1,500 devices are affected by a critical command injection bug actively exploited by a Mirai-based botnet.

“After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai and confirmed that the ability to exploit CVE-2024-40891 has been incorporated into some Mirai strains,” GreyNoise said.

Tracked as CVE-2024-40891, the flaw was initially disclosed in mid-2024 along with CVE-2024-40890, a similar command injection issue, with the main difference between them being the attack vector: HTTP vs Telnet.

Attackers could exploit these security defects to execute arbitrary commands on vulnerable devices for complete takeover and data exfiltration, potentially compromising the networks the products have been deployed on.

On Tuesday, Zyxel confirmed that the two issues impact multiple DSL CPE models, namely VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500.

Zyxel also notes that the WAN access and the Telnet function abused for exploitation are disabled by default on these devices, and that an attacker would need to log in to an affected device using compromised credentials to exploit the bugs.

According to the vendor, because the affected models are legacy devices for which support was halted years ago, no patch will be released for either of the bugs. The same applies to a newly discovered vulnerability in these DSL CPE products, tracked as CVE-2025-0890, which allows attackers to log in to the management interface using default credentials.

VulnCheck, which reported the vulnerabilities to Zyxel, explains that the affected devices are provisioned with three hardcoded accounts, namely ‘supervisor’, ‘admin’, and ‘zyuser’.

The supervisor user account, which is not visible via the web interface, has functionality in the Telnet interface, including access to a hidden command that provides it with unrestricted access to the system.

The zyuser account, which is visible in the user table, has elevated privileges, and can be abused to achieve full remote code execution via the exploited CVE-2024-40891 vulnerability.

“While these devices are aging and supposed to be out of support, thousands remain exposed online. The combination of default credentials and command injection makes them easy targets, highlighting the dangers of insecure default configurations and poor vulnerability transparency,” VulnCheck says.

According to Zyxel, VulnCheck reported CVE-2024-40890 and CVE-2024-40891 in July 2024, without a detailed report, and publicly disclosed the bugs instead. VulnCheck sent details on all three bugs only after GreyNoise’s in-the-wild exploitation warning last week.

The affected devices “are legacy products that have reached EOL status for several years. In accordance with industry product life cycle management practices, Zyxel advises customers to replace these legacy products with newer-generation equipment for optimal protection,” the vendor warns.

Related: Exploitation of Over 700 Vulnerabilities Came to Light in 2024

Related: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know

Related: Critical Flaws Expose Mimosa Wireless Broadband Devices to Remote Attacks

Related: Embracing Consolidation and Squashing Silos