Summary: Taiwanese networking equipment maker Zyxel announced that multiple legacy DSL CPE products are vulnerable to critical command injection bugs (CVE-2024-40890 and CVE-2024-40891), which will not be patched due to the devices being out of support. Over 1,500 affected devices are at risk of exploitation by Mirai-based botnets, compromising network security. Users are advised to replace these outdated products with newer equipment for enhanced protection.
Affected: Zyxel DSL CPE products
Keypoints :
- Severity of exploited vulnerabilities includes remote code execution and data exfiltration risks.
- Vulnerabilities linked to aged devices that are no longer supported by Zyxel, with no plans for updates.
- Exploitation made easier by default credentials and insecure configurations present in the affected models.
Source: https://www.securityweek.com/zyxel-issues-no-patch-warning-for-exploited-zero-days/