CVE-2025-0890 Overview
CVE-2025-0890 is an insecure default credentials vulnerability affecting the Telnet function in multiple legacy Zyxel DSL CPE (Customer Premises Equipment) devices. This vulnerability exists in devices where administrators have the option to change the default credentials but fail to do so, allowing attackers to log in to the management interface with well-known default credentials over the network.
Note: This vulnerability was assigned while the affected products were already unsupported (end-of-life), meaning no patches will be provided by the vendor.
Critical Impact
Attackers can gain full administrative access to affected Zyxel DSL routers and gateways via Telnet using default credentials, potentially compromising the entire network infrastructure and all connected devices.
Affected Products
- Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 and related versions
- Zyxel VMG1312-B10A, VMG1312-B10B, VMG1312-B10E firmware
- Zyxel VMG3312-B10A, VMG3313-B10A firmware
- Zyxel VMG3926-B10B, VMG4380-B10A firmware
- Zyxel VMG8324-B10A, VMG8924-B10A firmware
- Zyxel SBG3300-N000, SBG3300-NB00 firmware
- Zyxel SBG3500-N000, SBG3500-NB00 firmware
Discovery Timeline
- February 4, 2025 - CVE-2025-0890 published to NVD
- December 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-0890
Vulnerability Analysis
This vulnerability stems from the presence of hardcoded or insecure default credentials in the Telnet service of affected Zyxel DSL CPE devices. The Telnet protocol, which transmits data including credentials in plaintext, is enabled by default on these legacy devices. When administrators deploy these devices without changing the factory default credentials, the devices remain vulnerable to unauthorized access.
The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-522 (Insufficiently Protected Credentials). The combination of an exposed management interface via Telnet and predictable default credentials creates a significant attack surface, particularly for devices exposed to the internet or accessible from untrusted network segments.
Once an attacker successfully authenticates using default credentials, they gain full administrative control over the device, enabling them to modify device configurations, intercept network traffic, establish persistence, or use the compromised device as a pivot point for further attacks within the network.
Root Cause
The root cause of this vulnerability is the implementation of default credentials in the device firmware without adequate enforcement mechanisms to require credential changes during initial setup. This design flaw, combined with the use of the insecure Telnet protocol for remote management, creates a trivially exploitable authentication bypass scenario. The affected devices ship with known default username and password combinations that remain unchanged unless the administrator proactively modifies them.
Attack Vector
The attack vector for CVE-2025-0890 is network-based and requires no user interaction or special privileges. An attacker can exploit this vulnerability by:
- Scanning for devices with open Telnet ports (TCP port 23)
- Identifying vulnerable Zyxel DSL CPE devices through banner grabbing or fingerprinting
- Attempting authentication using known default credentials for Zyxel devices
- Upon successful authentication, gaining full administrative access to the device
The attack can be automated and scaled to target multiple devices simultaneously, making this vulnerability particularly attractive for botnet operators and mass exploitation campaigns.
Detection Methods for CVE-2025-0890
Indicators of Compromise
- Unexpected Telnet connections to Zyxel DSL CPE devices on TCP port 23
- Multiple failed login attempts followed by successful authentication from unknown IP addresses
- Configuration changes made to the device without administrator knowledge
- Unusual outbound network traffic originating from the DSL CPE device
- Device settings modified to enable additional remote access or disable security features
Detection Strategies
- Monitor for Telnet (TCP/23) connection attempts to network infrastructure devices
- Implement network intrusion detection rules for default credential authentication attempts
- Deploy honeypot devices configured to detect scans targeting Zyxel equipment
- Analyze authentication logs for access patterns indicating credential stuffing or brute force attempts
- Use asset discovery tools to identify legacy Zyxel devices still deployed on the network
Monitoring Recommendations
- Enable logging on all network devices and centralize log collection for analysis
- Configure alerts for any successful Telnet authentication to infrastructure devices
- Implement network segmentation monitoring to detect lateral movement from compromised devices
- Regularly audit device configurations for unauthorized changes
- Monitor DNS queries and outbound connections from network infrastructure for C2 communication patterns
How to Mitigate CVE-2025-0890
Immediate Actions Required
- Change default credentials on all affected Zyxel devices immediately if still in use
- Disable the Telnet service on affected devices and use SSH for remote management where available
- Implement network access controls to restrict management interface access to trusted IP addresses only
- Place affected devices behind a firewall with strict ingress rules blocking Telnet from untrusted networks
- Begin planning for replacement of end-of-life devices with supported alternatives
Patch Information
Zyxel has classified the affected products as legacy/end-of-life devices. According to the Zyxel Security Advisory, no firmware patches will be released for these devices. Organizations using affected equipment should prioritize device replacement with currently supported models that receive security updates.
Workarounds
- Disable Telnet access entirely on affected devices through the management interface
- Configure firewall rules to block TCP port 23 access from all untrusted networks
- Implement VPN-only access for remote device management
- Use network segmentation to isolate legacy devices from critical network infrastructure
- Monitor devices closely for signs of compromise until replacement can be completed
# Example: Block Telnet access at the network perimeter
# Firewall rule to drop incoming Telnet connections to internal networks
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A FORWARD -p tcp --dport 23 -d 192.168.0.0/16 -j DROP
# Log blocked Telnet attempts for monitoring
iptables -A INPUT -p tcp --dport 23 -j LOG --log-prefix "TELNET_BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
