Zyxel Legacy Routers Compromised via Unpatched Vulnerability
In a concerning development, three zero-day vulnerabilities - CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890 - have been identified in Zyxel's CPE Series devices. As of June and July 2025, there is no clear publicly available information confirming that Zyxel has released patches or updates to address these vulnerabilities.
The vulnerabilities CVE-2024-40890 and CVE-2024-40891 are known to be actively exploited, with CVE-2025-0890 also mentioned in this context. Security researchers from VulnCheck and partners have discovered these vulnerabilities being targeted in the wild, affecting end-of-life Zyxel routers and related products. Despite this, no official patch updates from Zyxel have been documented or referenced in these sources.
The current status of these vulnerabilities is that they are actively exploited in the wild, posing a significant risk to affected Zyxel CPE devices. Organizations and users of Zyxel CPE products are recommended to monitor Zyxel's official security advisories closely for any forthcoming patches. In the meantime, applying mitigations such as network segmentation, disabling affected services if possible, and enhanced monitoring for exploitation attempts is advisable to reduce risk.
A summary of the current status of these vulnerabilities is as follows:
| Vulnerability | Vendor Patch Released | Current Status | |--------------------|----------------------|--------------------------------| | CVE-2024-40890 | No confirmed patch | Actively exploited in the wild | | CVE-2024-40891 | No confirmed patch | Actively exploited in the wild | | CVE-2025-0890 | No confirmed patch | Actively exploited in the wild |
Jacob Baines, CTO of VulnCheck, stated that most of their conversations with Zyxel have focused on coordination of public details. Unfortunately, Zyxel has not made any public disclosure nor responded to repeated requests for comment.
The vulnerability CVE-2024-40891, disclosed by VulnCheck in August 2024, is currently being exploited in Zyxel CPE Series devices. This vulnerability allows an attacker to execute arbitrary commands, and the default credentials issue, CVE-2025-0890, may further increase the risk of unauthorized access. The vulnerability, tracked as CVE-2024-40891, has been incorporated into certain strains of the Mirai botnet.
Most of the routers affected by the vulnerability are residential, but threat groups have exploited various edge devices in recent years to target critical infrastructure. The devices in question, affected by the vulnerability CVE-2024-40891, appear to be provisioned with default accounts. The use of default, insecure credentials for the Telnet function in legacy DSL CPE VMG4325-B10A firmware poses a security risk.
Zyxel urges users to replace the legacy products with modern, supported versions. Attackers who exploit these vulnerabilities can engage in various post-exploitation activities, including data exfiltration or system compromise. Threat groups may exploit the default credentials issue, CVE-2025-0890, to gain unauthorized access to the affected devices.
As these vulnerabilities continue to be actively exploited, it is crucial for users and organizations to remain vigilant and implement interim security measures until patches are released.
The vulnerabilities CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890, currently being exploited in Zyxel CPE devices, pose a significant risk due to their involvement in cybersecurity issues. As no confirmed patches have been released by Zyxel, organizations and users are advised to apply mitigations such as network segmentation, disabling affected services, and enhanced monitoring to reduce cybersecurity risks.
