Analysis Summary

A newly discovered critical zero-day vulnerability, CVE-2024-40891, is actively being exploited in Zyxel CPE Series devices, putting thousands of systems at risk. This Telnet-based command injection flaw allows unauthenticated attackers to execute arbitrary commands on vulnerable devices, leading to system compromise, data theft, and network infiltration.

The researcher highlighted that the vulnerability, first reported in July 2024, has neither been publicly disclosed nor patched. Threat intelligence data indicates that attack attempts originate primarily from Taiwan, with over 1,500 vulnerable devices exposed online.

The flaw closely resembles CVE-2024-40890, a previously identified HTTP-based vulnerability, with both exploits targeting service accounts to gain unauthorized access. While the researcher is working with Zyxel on responsible disclosure, the company has not yet responded with a patch or mitigation plan. In the meantime, security experts recommend filtering traffic for unusual HTTP requests and restricting access to administrative interfaces to trusted IPs to reduce the risk of exploitation.

Additionally, a separate cybersecurity threat has emerged involving attacks on SimpleHelp remote desktop software. According to Researcher, a campaign observed since January 22, 2025, targeted devices running SimpleHelp, using it as an initial access vector. Though it's unclear if these attacks are linked to recently disclosed SimpleHelp vulnerabilities (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728), these flaws could enable attackers to escalate privileges and upload arbitrary files. Initial signs of compromise involved unauthorized communications to a malicious SimpleHelp server, followed by enumeration of domain accounts via cmd.exe using tools like net and nltest.

Organizations using Zyxel CPE Series devices and SimpleHelp software should take immediate action to mitigate risks. Zyxel users should monitor for suspicious activity and restrict access to management interfaces, while SimpleHelp users must update to the latest patched versions. The early termination of the SimpleHelp-related attack suggests attackers are testing exploitation methods, highlighting the urgency for organizations to strengthen security defenses against potential follow-up attacks.

Impact

• Gain Access
• Sensitive Data Theft
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-40891

Affected Vendor

Zyxel

Affected Products

• Zyxel CPE Series devices

Remediation

• Restrict access to administrative interfaces by allowing only trusted IPs.
• Monitor network traffic for unusual HTTP/Telnet requests targeting Zyxel devices.
• Disable unnecessary services, such as Telnet, if not required.
• Implement firewall rules to block unauthorized access attempts.
• Regularly review logs for signs of suspicious activity or unauthorized access.
• Await official patches from Zyxel and apply them as soon as they are released
• Immediately update to the latest patched version of SimpleHelp.
• Restrict remote access to trusted IP addresses only.
• Monitor for unauthorized SimpleHelp server connections in network traffic.
• Audit user activity to detect unusual account enumeration or privilege escalation attempts.
• Implement strong authentication mechanisms, such as multi-factor authentication (MFA).
• Remove unused or outdated SimpleHelp instances to minimize attack surfaces.
• Keep all software and firmware updated to prevent exploitation of known vulnerabilities.
• Segment critical network assets to prevent lateral movement in case of compromise.
• Use intrusion detection and prevention systems (IDS/IPS) to block suspicious activity.
• Regularly perform security audits and penetration testing to identify potential weaknesses.