Unknown assailants capitalize on an undiscovered weakness in Zyxel CPE devices
In the realm of cybersecurity, a critical issue has emerged with the discovery of a zero-day vulnerability, CVE-2024-40891, affecting Zyxel DSL CPE devices. This OS command injection flaw has been actively exploited since early 2024, with hackers targeting devices for device takeovers, potentially enrolling them into botnets for activities such as DDoS attacks or scanning[1][3].
### Current Status
The vulnerability is currently under active exploitation, with threat actors targeting older or end-of-life Zyxel devices[1]. The issue has garnered attention within the security community, appearing in threat intelligence feeds and hacker activity monitoring services. Due to the nature of the exploit and the affected devices' network exposure, it remains a critical issue[1][2][5].
### Patch Availability
Despite the ongoing exploitation, there is currently no official patch or vendor-supported fix for CVE-2024-40891. According to BigFix Known Exploited Vulnerabilities resources, the vulnerability status is marked as "Ready" in scanning tools but "Not Supported" regarding patch provision as of early 2025[3].
In light of this, security researchers and vendors recommend that organisations using Zyxel CPE devices affected by CVE-2024-40891 immediately apply workarounds, such as network-level filtering/blocking of UDP port 500 traffic, isolation of vulnerable devices, and monitoring for post-exploitation indicators[1].
### Recommendations for Mitigation
To mitigate the risk, it is recommended to block incoming traffic to vulnerable Zyxel CPE devices, especially on UDP port 500 used in this IKE packet decoding flaw[1]. Network logs should be monitored for indicators of compromise or exploitation attempts.
Considering the lack of a patch, device replacement or segmentation until a vendor patch or firmware update is released may be necessary. Staying updated via security advisories from Zyxel and independent vulnerability intelligence providers is also crucial[1][2].
In summary, CVE-2024-40891 remains an unpatched, actively exploited zero-day vulnerability in Zyxel CPE devices, posing an ongoing risk. Organisations should take immediate defensive actions to mitigate exposure while staying alert for future patch releases. No official patches have been issued as of mid-2025, so operational mitigations are critical to prevent exploitation[1][3].
The consequences of this vulnerability can lead to data exfiltration, network infiltration, or total system compromise. Notably, in early December, the Cybersecurity and Infrastructure Security Agency and German authorities issued a warning about a directory traversal vulnerability in Zyxel firewalls being exploited to deploy Helldown ransomware (CVE-2024-11667)[2].
[1] GreyNoise:
- The unpatched vulnerability, CVE-2024-40891, has been actively exploited since early 2024, posing a serious threat to data-and-cloud-computing operations through ransomware attacks, such as the Helldown ransomware discovered in December 2024.
- To mitigate the risk of exploitation, cybersecurity measures like firewalling, network-level filtering, and device isolation have been recommended, as there is currently no official patch available for this zero-day vulnerability.
- It is essential for organizations utilizing affected Zyxel CPE devices to stay updated on security advisories from Zyxel and independent vulnerability intelligence providers, as the lack of patch signifies the need for operational mitigations to prevent potential system compromise.
