ZyXEL Router Vulnerability: Replace Affected Hardware Now

Zyxel Declines to Patch Actively Exploited Vulnerabilities

Zyxel, a Taiwanese hardware manufacturer, has announced it will not be issuing a security patch for two vulnerabilities currently being exploited. These flaws potentially affect a significant number of customers.

Zero-Day Exploitation Confirmed

GreyNoise, a threat intelligence firm, alerted the public late last month regarding the active exploitation of a critical zero-day vulnerability within Zyxel routers. The identified vulnerabilities permit attackers to execute arbitrary commands on compromised devices.

This access can lead to complete system control, unauthorized data extraction, and potential network breaches.

Discovery and Reporting Timeline

According to GreyNoise, the vulnerabilities were initially discovered by VulnCheck in July of the previous year. The findings were subsequently reported to Zyxel the following month.

However, the manufacturer had not yet released a patch or publicly disclosed the issues.

Zyxel's Response and CVE Identifiers

Zyxel stated this week that it only “recently” became aware of the two vulnerabilities, now formally designated as CVE-2024-40890 and CVE-2024-40891. The company asserts these flaws impact several products that have reached their end-of-life.

Zyxel claims it did not receive the vulnerability reports directly from VulnCheck, and first learned of the exploitation on January 29th, following GreyNoise’s public report.

No Patch for End-of-Life Products

Given that these vulnerabilities affect “legacy products” that are beyond their end-of-life support period, Zyxel has decided against releasing any patches. Instead, customers are advised to replace affected routers with newer models.

This upgrade is recommended to ensure optimal security protection.

Continued Availability of Vulnerable Devices

VulnCheck highlighted in a blog post on Tuesday that the impacted devices are not currently listed on Zyxel’s end-of-life page. Furthermore, some of these vulnerable models are still being offered for sale through online retailers like Amazon, as confirmed by TechCrunch.

“These systems, despite their age and apparent lack of support, remain significant targets due to their widespread use and ongoing attacker interest,” explained Jacob Baines, CTO at VulnCheck.

Exposure and Botnet Activity

Data from Censys, an IoT device search engine, indicates that approximately 1,500 vulnerable devices are currently exposed on the internet.

GreyNoise reported last week that it has detected botnets, including Mirai, exploiting one of the Zyxel vulnerabilities. This suggests the flaw is being leveraged in large-scale attacks.

Lack of Response from Zyxel

Despite multiple requests for comment, Zyxel spokesperson Birgitte Larsen has not responded to inquiries from TechCrunch.

Key Takeaways

• Zyxel will not patch vulnerabilities CVE-2024-40890 and CVE-2024-40891.
• The vulnerabilities affect end-of-life products.
• Approximately 1,500 devices remain exposed online.
• Botnets like Mirai are actively exploiting the flaws.