The “Perfect Storm” for Zyxel: EOL Routers and Ransomware Attacks

Every product has a due date, but customers often have little warning and no recourse when a vendor decides to sunset a product. Once a vendor designates a product as end-of-life (EOL) or end-of-service (EOS), managing associated risks becomes more complex. Risk is magnified when cyber criminals find and exploit vulnerabilities that will never be patched. If an EOL product becomes vulnerable in the future, its users need to implement additional security controls on their own.

If the vendor is found to be still selling these vulnerable EOL products, it may be considered the “perfect storm” or the maximum disaster. In this article we will investigate several security alerts for Zyxel products including some designated EOL and another flaw exploited in ransomware attacks.

An Overview of Recent Vulnerabilities in Zyxel Products

CVE-2024-40891 (CVSS 8.8), a high severity Remote Code Execution (RCE) flaw in Zyxel’s telnet implementation has been known since mid-2024. Yet, almost six months later, Zyxel has not issued a patch, claiming the affected products are EOS and EOL. Early in 2025, Greynoise observed active exploitation of CVE-2024-40891 against vulnerable Zyxel CPE networking devices. That CVE (Common Vulnerabilities and Exposures) and another RCE flaw, CVE-2024-40890 (CVSS 8.8), were both added to CISA’s Known Exploited Vulnerabilities (KEV) list by mid-February. While both CVEs (Cybersecurity and Infrastructure Security Agency) were post-authentication RCE flaws, a third security gap, CVE-2025-0890 (CVSS 9.8), published on February 4th, provided the final piece to the puzzle: extremely weak default credentials for remotely accessible services – that is, on top of the already unencrypted Telnet authentication process.

Researchers at VulnCheck who originally discovered the flaws also pointed out that the vendor continues to sell the faulty devices despite being aware of active exploitation and having no intention to issue patches. As of February 25th, 2025, some of the affected products were still being sold from Zyxel’s official Amazon store [1][2]. On top of these, another vulnerability in Zyxel products, CVE-2024-11667, is being actively exploited in ransomware attacks by the Helldown threat actor.

In the telecom technologies sector, Zyxel holds an estimated market share of 4.19%, serving around 2,277 companies including the world’s biggest tech giants. Zyxel Group, headquartered in Hsinchu Science Park, Taiwan, is a prominent provider of networking solutions for both businesses and home users, operating globally in over 150 countries.

A Timeline of Events

• 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in CPE series products.
• 2024-07-31: VulnCheck published information about CVE-2024-40890 and CVE-2024-40891 on their blog.
• 2025-01-28: Active exploitation of CVE-2024-40891 was reported by GreyNoise.
• 2025-02-03: VulnCheck released further information highlighting the risk presented by Zyxel’s position and providing evidence that vulnerable devices were still being sold online by the vendor.
• 2025-02-04: Zyxel released a security advisory labelling affected products as EOL and stating they will not receive updates.

Technical Descriptions of Recent Zyxel Vulnerabilities

Aside from Zyxel’s slow response to security researchers and their decision to continue selling EOL products with exploitable vulnerabilities, there are additional lessons to learn from a technical assessment of the flaws themselves. Namely, how product vendors continue to market products with unforgivable security flaws while skirting accountability.                                                                                

• CVE-2024-40891 (CVSS 8.8 High): Authenticated users can exploit Telnet command injection due to improper input validation in `libcms_cli.so`. Commands are passed unchecked to a shell execution function, allowing arbitrary RCE. Aside from checking that the command string starts with an approved command, the `prctl_runCommandInShellWithTimeout` function has no filtering, allowing command chaining and arbitrary command injection.
• CVE-2024-40890 (CVSS 8.8 High): A post-authentication command injection vulnerability in the CGI program of the legacy DSL Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
• CVE-2025-0890 (CVSS 9.8 Critical): Devices use weak default credentials such as usernames and passwords admin:1234, zyuser:1234, and supervisor:zyad1234. None of these accounts are visible via the web interface but can be found in the device’s `/etc/default.cfg` These default credentials are now well-known by attackers. The “supervisor” and “zyuser” accounts can both access devices remotely via Telnet. “supervisor” has hidden privileges, granting full system access, while “zyuser” can still exploit CVE-2024-40891 for RCE. Use of such default credentials violate CISA’s Secure by Design pledge and the EU’s upcoming Cyber Resilience Act (CRA).

The affected products include Zyxel VMG1312-B Series (VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A) and two Zyxel Business Gateway Series routers (SBG3300, and SBG3500). The Zyxel CPE (Customer Premises Equipment) series devices are designed for home and small business internet connectivity, such as DSL, fiber and wireless gateways. As such, they are typically installed at a customer’s location to connect them to an Internet  Service Provider’s (ISP) network and are therefore not easily protected from the Internet by firewalls. Considering the nature of Zyxel CPE devices and the vulnerabilities in question, it would not be surprising if tens of thousands or more Zyxel devices were participating in malicious botnet activity.

Greenbone is able to detect EOL Zyxel devices that are vulnerable to the aforementioned CVEs.

CVE-2024-11667: Zyxel Firewalls Exploited in Ransomware Attacks

CVE-2024-11667 (CVSS 9.8 Critical), published in late December 2024, is a path traversal flaw [CWE-22] in the web-management console of Zyxel ATP and USG FLEX firewall series. The vulnerability is known to be exploited by the Helldown threat actor in ransomware attacks and the subject of several national cybersecurity advisories [1][2].

The Helldown ransomware group emerged in August 2024 as a notable threat actor in the cybersecurity landscape. This group employs a double extortion strategy, wherein they exfiltrate sensitive data from targeted organizations and subsequently deploy ransomware to encrypt the victims’ systems. If the ransom demands are not met, Helldown threatens to publicly release the stolen data on their data leak site. In addition to exploiting these Zyxel flaws, Helldown is known to exploit Windows OS vulnerabilities, VMware ESX,  and Linux environments, often using compromised VPN credentials to move laterally within networks.

Zyxel has released an advisory acknowledging the ransomware attacks and patches for affected products. Greenbone is able to detect Zyxel products affected by CVE-2024-11667 with three separate product specific version detection tests [1][2][3].

Summary

The situation with Zyxel seems to be a perfect storm leading to an important question: What recourse do customers have when a vendor fails to patch a security gap in their product? Zyxel’s EOL networking devices remain actively exploited, with vulnerabilities that can be combined for unauthorized arbitrary RCE and other unauthorized actions. CVE-2024-40891, CVE-2024-40890, and CVE-2025-0890 are now in CISA’s KEV list, while CVE-2024-11667 has been linked to ransomware attacks. The researchers from VulnCheck, who discovered several of these CVEs, have criticized Zyxel for poor communication and further for selling unpatched EOL devices. Greenbone detects affected products enabling a proactive approach to vulnerability management and the opportunity for users to mitigate exposure.