Safeguard.sh
Vulnerability Analysis

Zyxel Router Command Injection: CVE-2024-40891 Exploited in the Wild

Threat actors began mass-exploiting a Telnet-based command injection flaw in Zyxel CPE routers, with over 1,500 devices compromised in botnet campaigns. Zyxel initially refused to patch.

James
Senior Security Analyst
5 min read

In late January 2025, GreyNoise reported active exploitation of CVE-2024-40891, an unauthenticated command injection vulnerability in Zyxel CPE (Customer Premises Equipment) series routers. The flaw allowed remote attackers to execute arbitrary commands on affected devices via Telnet, and it was being leveraged to recruit routers into Mirai-based botnets.

What made this situation particularly frustrating for defenders was that VulnCheck had privately disclosed the vulnerability to Zyxel in July 2024. By February 2025, Zyxel had not released a patch, initially claiming the affected devices were end-of-life and would not receive security updates.

The Vulnerability

CVE-2024-40891 is a command injection vulnerability accessible through the Telnet management interface of certain Zyxel CPE routers. The flaw allows an unauthenticated attacker to send specially crafted Telnet commands that are executed by the underlying operating system with elevated privileges.

The vulnerability is closely related to CVE-2024-40890, a similar command injection flaw accessible via HTTP rather than Telnet. Both vulnerabilities stem from insufficient input validation in the management interface's command processing logic.

Affected devices included several models in the Zyxel CPE series, including the VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-T20A, and VMG3926-B10B among others. These are DSL gateway routers commonly deployed by internet service providers to residential and small business customers.

The Exploitation Campaign

GreyNoise observed exploitation attempts beginning in late January 2025, with a sharp increase in activity through February. The attacks followed a pattern consistent with botnet recruitment:

  1. Internet-wide scanning for devices with Telnet (port 23) open.
  2. Exploitation of CVE-2024-40891 to gain command execution.
  3. Download and execution of Mirai variant payloads.
  4. Enrollment of the compromised device into a botnet for DDoS attacks or further scanning.

Censys data indicated approximately 1,500 vulnerable Zyxel devices were accessible from the internet at the time of the exploitation reports. While this is a relatively small number compared to Fortinet or Ivanti deployments, CPE devices are particularly difficult to remediate because end users typically have no idea they are running vulnerable firmware and no capability to update it themselves.

The Mirai botnet ecosystem has been remarkably persistent since the original Mirai source code was released in 2016. New variants continue to target IoT devices and consumer networking equipment, exploiting any available vulnerability to grow their networks. CVE-2024-40891 was simply the latest in a long line of router vulnerabilities absorbed into Mirai campaigns.

Zyxel's Response (or Lack Thereof)

The initial vendor response was disappointing. When VulnCheck disclosed the vulnerability to Zyxel in July 2024, the company acknowledged the report but indicated that many affected models were end-of-life (EOL) and would not receive patches.

This is a common and problematic pattern in the networking equipment industry. Vendors declare products end-of-life, which from their perspective ends their obligation to provide security updates. But from the perspective of the millions of devices still deployed and connected to the internet, "end-of-life" is meaningless. The devices continue to operate, continue to be accessible, and continue to be exploitable.

After public reporting of active exploitation in January 2025, Zyxel faced mounting pressure and eventually acknowledged the issue more prominently. However, for many affected models, the recommended mitigation remained "replace the device" -- advice that ISPs deploying thousands of these routers found impractical.

The ISP Angle

CPE devices occupy an awkward position in the security ecosystem. They are:

  • Owned by the ISP but deployed at the customer's premises.
  • Managed remotely in theory, but firmware updates are often manual or require truck rolls.
  • Internet-facing by definition, since they are the customer's gateway to the internet.
  • Long-lived, with deployment cycles measured in years or decades, not months.

When a CPE vulnerability is discovered, the remediation path is unclear. The ISP may be contractually responsible for the device, but updating firmware across thousands of deployed units is operationally expensive. The end user typically cannot update the device themselves and may not even know what model they have.

This creates a persistent population of vulnerable, internet-facing devices that remain exploitable for years after a vulnerability is disclosed. It is a structural problem in the networking industry that no single vendor can solve.

Mitigations

For organizations or ISPs running affected Zyxel CPE devices:

  1. Disable Telnet access. If the management interface is not needed via Telnet, disable it. Use SSH if remote management is required.
  2. Restrict management interface access. Ensure management interfaces are not accessible from the WAN side.
  3. Monitor for indicators of compromise. Look for unexpected outbound connections, particularly to known Mirai C2 infrastructure.
  4. Plan device replacement for end-of-life models that will not receive patches.
  5. Apply firmware updates if and when Zyxel releases them for supported models.

For the broader industry, CVE-2024-40891 is another reminder that the "we don't patch EOL products" stance needs to evolve. Regulatory initiatives like the EU Cyber Resilience Act aim to address this by requiring manufacturers to provide security updates for the expected lifetime of their products, not just until the vendor decides to stop supporting them.

How Safeguard.sh Helps

Safeguard.sh helps organizations maintain visibility into their entire deployed software footprint, including the firmware running on network and IoT devices. For ISPs and enterprises managing fleets of CPE devices, Safeguard's SBOM tracking and vulnerability correlation can identify which device models and firmware versions are vulnerable to newly disclosed CVEs.

When a vulnerability like CVE-2024-40891 is published, Safeguard enables you to:

  • Instantly identify affected devices across your deployment.
  • Track remediation progress as firmware is updated or devices are replaced.
  • Generate compliance reports demonstrating your response to known vulnerabilities.
  • Set policy gates that flag EOL devices still in production, prompting replacement planning before the next zero-day.

Proactive inventory management beats reactive scrambling every time.

zyxelcve-2024-40891command-injectioniot-security
Back to all articles

Related articles in Vulnerability Analysis

Vulnerability Analysis

CVE-2024-4367 PDF.js Arbitrary Code Execution

CVE-2024-4367 is a PDF.js code-execution flaw via font handling that affects Firefox, Thunderbird, and every embedder. Root cause and remediation.

March 14, 2026Read
Vulnerability Analysis

CVE-2025-24071 Windows Explorer NTLM Hash Leak

A .library-ms file extracted from a zip archive can leak NTLM hashes without the user opening anything. Breakdown of CVE-2025-24071 and the defensive response.

March 12, 2026Read
Vulnerability Analysis

CVE-2024-29849 Veeam Auth Bypass Analysis

CVE-2024-29849 is a CVSS 9.8 auth bypass in Veeam Backup Enterprise Manager. Root cause, exploitation, detection, and patching guidance.

March 10, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.