A security advisory from Zyxel reveals that the company won’t patch vulnerabilities in its end-of-life CPE Series routers, despite two actively exploited flaws being discovered by VulnCheck. The flaws, CVE-2024-40891 and CVE-2025-0890, allow attackers to execute arbitrary code on devices with weak default credentials. Zyxel advises users to replace these legacy products with newer-generation equipment for optimal protection.
Over 1,500 Zyxel CPE Series devices are exposed to the internet, making them a significant attack surface. The vulnerabilities were discovered in July 2024 and last week, GreyNoise reported seeing exploitation attempts in the wild. VulnCheck presented the full details of the two flaws and demonstrated a proof-of-concept (PoC) against a VMG4325-B10A running firmware version 1.00(AAFR.4)C0_20170615.
Zyxel’s decision not to patch the vulnerabilities is surprising, considering the devices are no longer supported for many years. The company suggests replacement with newer-generation equipment, emphasizing that understanding real-world attacks is critical to effective security research. This incident highlights the importance of maintaining software updates and security patches for legacy systems.
Source: https://www.bleepingcomputer.com/news/security/zyxel-wont-patch-newly-exploited-flaws-in-end-of-life-routers