Zyxel won't patch end-of-life routers against zero-day attacks

Networking hardware vendor Zyxel said it won't patch several of its end-of-life routers against three vulnerabilities that are under attack.

In late January, threat intelligence vendor GreyNoise reported that a zero-day vulnerability targeting Zyxel products, CVE-2024-40891, was being exploited in strains of the Mirai botnet malware. Glenn Thorpe, GreyNoise senior director of security research and the blog post's author, wrote that a Censys scan found 1,500 vulnerable devices and that the post-authentication command injection vulnerability had been neither patched nor publicly disclosed.

Thorpe said another threat intelligence vendor, VulnCheck -- which discovered the original vulnerability -- disclosed CVE-2024-40891 to its partners in August 2024. GreyNoise collaborated with VulnCheck in January to coordinate disclosure and verify the accuracy of the former's threat research. Notably, GreyNoise did not coordinate disclosure with Zyxel. "Ordinarily, disclosure would be coordinated with the vendor, but due to the large number of attacks, we decided to publish this immediately," Thorpe wrote.

Zyxel on Tuesday formally disclosed three flaws in an advisory: CVE-2024-40890, CVE-2024-40891 and CVE-2025-0890.

CVE-2024-40890 is a critical post-authentication command injection vulnerability with an 8.8 CVSS score. Zyxel said in the advisory that the flaw "could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request."

CVE-2024-40891, CVSS 8.8, is a post-authentication command injection vulnerability in the management commands of certain router models that "could allow an authenticated attacker to execute OS commands on an affected device via Telnet."

CVE-2025-0890, CVSS 9.8, is a credential-related issue in which "[i]nsecure default credentials for the Telnet function in certain legacy DSL CPE models ... could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so."

The vendor stressed in all three cases that "WAN access and the Telnet function are disabled by default on these devices" and, for the former two flaws, attacks could only be successful if user-configured passwords have been compromised.

Affected router models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300 and SBG3500.

Zyxel said these routers are legacy products that have reached end-of-life status "for several years." As such, the vendor apparently won't patch the vulnerabilities and instead advised customers to replace the affected products with newer-generation ones. "Additionally, disabling remote access and periodically changing passwords are proactive measures that can help prevent potential attacks," the advisory read.

VulnCheck, which reported CVE-2024-40890, CVE-2024-40891 and CVE-2025-0890 to Zyxel, published its own advisory Tuesday. VulnCheck CTO Jacob Baines wrote that the end-of-life routers weren't listed on Zyxel's EOL page and that some affected routers remain on sale at Amazon.

"While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers," Baines wrote. "The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research."

In a disclosure timeline in its advisory, Zyxel appeared to express frustration with VulnCheck's handling of the situation. Zyxel said VulnCheck notified the vendor of the vulnerabilities on July 13 "without providing any reports." On July 14, Zyxel requested that VulnCheck provide a detailed report, but "VulnCheck did not respond." On July 31, VulnCheck "published CVE-2024-40890 and CVE-2024-40891 on their blog without informing Zyxel."

Informa TechTarget contacted Zyxel and VulnCheck for additional comment.

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.