CVE-2024-40891: Zyxel VMG1312-B10A Auth Bypass Flaw

CVE-2024-40891 Overview

CVE-2024-40891 is a post-authentication command injection vulnerability affecting legacy Zyxel DSL Customer Premises Equipment (CPE) devices. The flaw resides in management commands accessible via Telnet on the affected firmware. An authenticated attacker can inject and execute arbitrary operating system commands on the underlying Linux platform. Zyxel marked these products as UNSUPPORTED WHEN ASSIGNED, meaning they have reached end-of-life and will not receive firmware patches. The vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. The flaw is tracked under CWE-78 (OS Command Injection).

Critical Impact

Authenticated attackers can execute arbitrary OS commands via Telnet, leading to full device compromise and potential pivoting into internal networks.

Affected Products

• Zyxel VMG series: VMG1312-B10A/B10B/B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A
• Zyxel SBG series: SBG3300-N000, SBG3300-NB00, SBG3500-N000, SBG3500-NB00
• Reference firmware: VMG4325-B10A version 1.00(AAFR.4)C0_20170615

Discovery Timeline

• 2025-02-04 - CVE CVE-2024-40891 published to NVD
• 2025-02-04 - Zyxel publishes Zyxel Security Advisory
• 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2024-40891

Vulnerability Analysis

The vulnerability is a classic OS command injection flaw exposed through the Telnet management interface on legacy Zyxel DSL gateways. Once a user authenticates to the device's command-line management shell, certain administrative commands pass user-controlled input to underlying shell execution without proper sanitization. An attacker can append shell metacharacters such as ;, |, or backticks to embed additional commands. These commands execute with the privileges of the management process, which on embedded Zyxel CPE firmware is typically root. Because the affected models are end-of-life, no official firmware update will be released for this CVE.

Root Cause

The root cause is improper neutralization of special elements used in an OS command [CWE-78]. The management CLI builds shell command strings by concatenating user-supplied parameters into commands passed to system() or equivalent invocations. The firmware does not validate input against an allowlist or escape shell metacharacters, allowing arbitrary commands to be appended to legitimate management operations.

Attack Vector

Exploitation requires network access to TCP port 23 (Telnet) and valid credentials for the device's management account. Combined with weak or default credentials commonly found on legacy CPE deployments, the authentication barrier is low in practice. Attackers reach affected devices over the Internet when the Telnet service is exposed on the WAN interface. Once authenticated, the attacker issues a crafted management command containing injected shell syntax, gaining persistent command execution on the device. This enables botnet recruitment, traffic interception, DNS hijacking, and lateral movement into the LAN behind the gateway.

Detection Methods for CVE-2024-40891

Indicators of Compromise

• Unexpected inbound TCP connections to port 23 (Telnet) on WAN-exposed Zyxel CPE devices
• Outbound connections from the gateway to known Mirai or IoT botnet command-and-control infrastructure
• DNS configuration changes on the CPE or modified firewall rules added without administrator action
• Unusual processes spawning from the device management daemon, such as wget, tftp, or busybox child processes downloading remote payloads

Detection Strategies

• Inspect network flow data for Telnet sessions to internal CPE devices, especially from external IP addresses
• Correlate authentication logs from the CPE with command execution patterns containing shell metacharacters (;, &&, |, backticks)
• Hunt for new outbound connections originating from gateway IP addresses to non-ISP destinations on uncommon ports

Monitoring Recommendations

• Enable syslog forwarding from Zyxel CPE devices to a centralized SIEM and alert on management CLI command execution
• Monitor for changes to device firmware version strings and configuration checksums to identify tampering
• Track CISA KEV updates for additional indicators related to active exploitation campaigns targeting Zyxel legacy DSL hardware

How to Mitigate CVE-2024-40891

Immediate Actions Required

• Replace affected end-of-life Zyxel VMG and SBG devices with currently supported hardware, as Zyxel will not issue patches for these models
• Disable the Telnet service on all affected devices and restrict management to the LAN interface only
• Rotate all administrative credentials and remove any default or shared accounts on the device
• Place affected devices behind a firewall that blocks inbound access to TCP port 23 from untrusted networks

Patch Information

No firmware patch is available. Zyxel has marked the affected DSL CPE models as UNSUPPORTED WHEN ASSIGNED in the Zyxel Security Advisory. The vendor recommends replacing legacy hardware with current-generation supported models. The CVE remains listed in the CISA Known Exploited Vulnerabilities catalog, requiring federal agencies to mitigate by removing affected devices from networks.

Workarounds

• Disable Telnet management on both WAN and LAN interfaces through the device administration console
• Apply ACLs at the upstream router or ISP boundary to block TCP/23 traffic to CPE management addresses
• Segment vulnerable CPE devices onto an isolated VLAN with no access to sensitive internal resources
• Enforce strong, unique administrative passwords to raise the authentication barrier required for exploitation

# Configuration example - disable Telnet and restrict management access
# From the Zyxel CLI:
ip telnet server disable
ip telnet server rule 1 deny wan

# Upstream firewall rule to block inbound Telnet to CPE management IPs:
iptables -A FORWARD -p tcp --dport 23 -d <cpe_mgmt_ip> -j DROP