Cybersecurity researchers warn that critical vulnerability with zero day affecting Zyxel CPE devices see active attempts to operate in the wild.
“Attackers can use this vulnerability to execute arbitrary teams on affected devices, which will complete compromise – Note in a warning published on Tuesday.
The vulnerability in question, -cve-2024-40891, this is a critical vulnerability of the introduction of teams, which was not publicly disclosed and was not fixed. The existence of an error was First reported Author of Vulncheck in July 2024.
Statistics collected in a intelligence firm threatening show it Attempts to attack occurred with Dozens of IP -daswith most of them located in Taiwan. According to CeSys, their more than 1500 vulnerable devices Internet.
“Cve-2024-40891 is very similar to the CVE-2024-40890, the main difference is that the first is based on the TV and the second-HTTP based on HTTP,” Granosis added. “Both vulnerabilities allow unauthorized attackers to perform arbitrary teams using services accounts.”
Vulncheck told The Hacker News that he was working in the process of disclosure with the Taiwanese company. We turned to Zyxel for further comment and we will update the story when we hear back.
At the same time, users are advised to filter traffic for unusual HTTP requests to CPE Zyxel management interfaces and restrict the administrative interface access to the proclaim IPS.
Development comes when Arctic Wolf reports that it watched the company, starting on January 22, 2025, which provided for unauthorized access to devices operating on the Simplehelp deleted desktop as the initial access vector.
Currently unknown whether the attacks are linked with exploitation Recently revealed security deficiencies In the product (CVE-2024-57726, CVE-2024-57727 and CVE-2014-57728), which can allow bad actors to escalate administrative users and download arbitrary files.
“The first signs of the compromise were the connection from the client process to the unauthorized instance of Simplehelp Server”, a security researcher Andres Ramas – Note. “The threatening activity also provided for the transfer of accounts and domain information through the cmd.exe process initiated through the Simplehelp session using tools such as Net and NLTEST. Actors threatened were not observed on the task because the session was stopped before the attack progressed Next. “
Organizations are strongly recommended to update their Simplehelp instances to the latest fixed versions available to provide potential threats.
