Critical Zyxel Zero-Day (CVE-2024-40891) Actively Exploited by Mirai Botnet Variants

• A critical zero-day vulnerability in 1,500 Zyxel devices is under active exploitation.
• There is no available fix to the flaw that allows unauthenticated arbitrary code execution.
• Affected devices could be exposed to full system compromise, data exfiltration, and network infiltration.

Security researchers have identified active exploitation attempts targeting a critical zero-day vulnerability in Zyxel CPE Series devices, tracked as CVE-2024-40891. This vulnerability has not yet been patched or officially disclosed by the vendor.

A GreyNoise security report mentioned observing active exploitation attempts targeting the zero-day critical command injection flaw, which allows unauthenticated attackers to execute arbitrary commands on affected devices, potentially leading to full system compromise, data exfiltration, and network infiltration. 

At the time of writing, over 1,500 devices vulnerable to CVE-2024-40891 are reported to be exposed online, according to data from Censys.

Disclosed as "Zyxel CPE Telnet Command Injection" by VulnCheck on August 1, 2024, CVE-2024-40891 is a critical telnet-based command injection flaw. It enables attackers to exploit service accounts (e.g., supervisor or zyuser) to bypass authentication and execute malicious commands remotely. 

Researchers note that CVE-2024-40891 shares significant similarities with CVE-2024-40890, a related HTTP-based vulnerability, but with differing exploitation methods.

GreyNoise observed noticeable overlaps between IP addresses exploiting CVE-2024-40891 and those historically linked to Mirai botnet activity. Further investigation confirmed that some variants of Mirai have already incorporated exploit capabilities targeting this vulnerability. 

GreyNoise's efforts to identify and monitor threat actor behavior led to the creation of a specific tag for CVE-2024-40891, aiding security teams in detecting and mitigating related attacks.

Despite the flaw’s critical nature, Zyxel has yet to issue an official advisory or patch addressing the flaw. 

VulnCheck had initially disclosed information about the vulnerability to partners as part of responsible disclosure protocols. However, due to the observed surge in exploitation attempts and the increasing risk to vulnerable devices, researchers collaborated to publish details preemptively on January 21, 2025. 

The decision was made to prioritize user protection in light of the significant attack volume and the widespread exposure of affected devices.