Taiwanese hardware manufacturer Zyxel has stated that it has no plans to release a patch for two exploited vulnerabilities that could affect thousands of customers.
GreyNoise reported a zero-day vulnerability in Zyxel routers, allowing attackers to execute arbitrary commands, potentially leading to system compromise, data exfiltration, or network infiltration.
VulnCheck discovered vulnerabilities in July last year, reported to Zyxel, but the manufacturer has not yet patched or disclosed the issues.
Zyxel has discovered two vulnerabilities, CVE-2024-40890 and CVE-2024-40891, which affect multiple end-of-life products, according to an advisory.
The company claims VulnCheck did not report the flaws, but discovered them on January 29, following GreyNoise’s report of active exploitation.
Zyxel advises customers to replace vulnerable routers with newer-generation products for optimal protection, as patches are not planned for legacy products that have reached end-of-life.
VulnCheck reports that Zyxel’s EOL page doesn’t list affected devices, and some models are still available for purchase through Amazon, confirmed by TechCrunch.
“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers,” Jacob Baines, CTO at VulnCheck, said.
Censys, a search engine for Internet of Things devices and assets, reports that nearly 1,500 vulnerable devices remain exposed to the internet.
GreyNoise reported detected botnets, including Mirai, exploiting a Zyxel vulnerability, indicating they are being used in large-scale attacks.
