Summary: Zyxel has alerted users of critical vulnerabilities in its end-of-life CPE Series devices, including a Telnet command injection flaw and weak default credentials, but has no plans to release patches. As exploitation attempts continue to be observed in the wild, Zyxel encourages users to upgrade to newer supported models. VulnCheck disclosed detailed exploitation methods while emphasizing the ongoing risk posed by these legacy devices.
Affected: Zyxel CPE Series devices
Keypoints :
- Two main vulnerabilities: CVE-2024-40891 (Telnet command injection) and CVE-2025-0890 (weak default credentials).
- Over 1,500 devices are exposed to the internet, highlighting significant risks.
- Zyxel urges users to replace legacy devices, confirmed to be unsupported, with newer models for better security.