- Security researchers warn against two Zyxel defects abused in the wild
- The manufacturer has confirmed the results, but said that the devices are no longer supported
- Users are advised to migrate to more recent models
Zyxel has recognized a number of security problems with some of its most popular routers, but indicates that it will not publish any corrective due to the devices reaching their end of life.
Security researchers first discovered two vulnerabilities in a number of Zyxel Internet connected devices in the summer of 2024, and warned earlier this month that defects are exploited in the wild.
In a newly published security notice, the Taiwanese networking equipment manufacturer has recognized the faults, and the fact that they are mistreated in the wild, but stressed that vulnerable devices have exceeded their end of life and are therefore more supported. Instead, users must migrate to more recent and supported devices.
Large attack area
The two vulnerabilities are followed in the form of CVE-2024-40891 (validation of the incorrect command) and CVE-2025-0890 (low default default).
“Zyxel recently learned of the CVE-2024-40890 and the CVE-2024-40891 mentioned in an article on the Graynoise blog.
In addition, Vulcheck informed us that they will publish the technical details concerning CVE-2024-40891 and CVE-2025-0890 on their blog. We have confirmed that affected models reported by Vulcheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A MG8924-B10A , SBG3300 and SBG3500, are inherited products that reach years of end of life (EOL).
Therefore, we strongly recommend that users are replacing them with more recent products for optimal protection, “said Zyxel in the advice.
In his writing, Bleeping Compompute Said that Fofa and Censys show more than 1,500 Zyxel CPE serial devices exposed to the Internet, which suggests that the attack surface is “important”. At the same time, Vulcheck also shared proof of concept (POC) against VMG4325-B10A Running Firmware version 1.00 (AAFR.4) C0_20170615, showing that the attack is more than theoretical.
“Although these systems are older and apparently for a long time, they have been very relevant because of their continuous use in the world and the sustained interest of attackers,” said Vulcheck. “The fact that attackers always actively exploit these routers underline the need for attention, because understanding of the real world attacks is essential for effective safety research.”
