CVE-2024-40890

What are Zyxel DSL CPE Devices?

Zyxel DSL customer premises equipment (CPE) are broadband routers and modems deployed by ISPs and small businesses for DSL internet access. These devices manage the DSL connection, provide NAT and routing, and expose a web management interface for configuration. The affected models are legacy devices — older hardware that Zyxel no longer actively supports — but remain widely deployed in home and small-business environments. As network edge devices, compromised CPEs give attackers persistent access to local networks and the ability to intercept or manipulate traffic.

Overview

CVE-2024-40890 is a post-authentication OS command injection vulnerability in the CGI program of multiple legacy Zyxel DSL CPE devices. An authenticated attacker can send a crafted HTTP request to the CGI interface that injects shell commands, executing arbitrary OS code on the device. Zyxel published the advisory on February 4, 2025, confirming the affected devices are end-of-life and no firmware patch will be issued. CISA added both CVE-2024-40890 (CGI injection) and its companion CVE-2024-40891 (Telnet injection) to the KEV catalog simultaneously on February 11, 2025, reflecting active botnet exploitation of these devices.

Affected Versions

No firmware patch will be released for any affected model.

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CGI program in the affected Zyxel DSL CPE devices passes user-supplied input from the web management interface to an OS command without adequate sanitization. An attacker with low-privilege (authenticated) access to the management web interface can inject shell metacharacters into a CGI parameter, causing arbitrary commands to be executed by the device's underlying OS with the privileges of the CGI process.

This vulnerability is the web-CGI variant of a broader command injection issue. CVE-2024-40891 is a companion vulnerability that enables the same command injection via the Telnet management interface. Together they provide two separate vectors to the same root cause, ensuring that devices with either web management or Telnet management exposed are exploitable.

Discovery

Reported to Zyxel, which published a security advisory on February 4, 2025. The devices were confirmed end-of-life with no patch planned.

Exploitation Context

Botnet operators — particularly those building Mirai-family DDoS infrastructure — systematically target legacy network edge devices with known credential weaknesses and command injection vulnerabilities. The simultaneous KEV addition of CVE-2024-40890 and CVE-2024-40891 reflects active exploitation of these specific Zyxel CPE models by botnets scanning for devices with default credentials, then using these command injection vulnerabilities to install bot malware for DDoS attack participation, network reconnaissance, or proxying of other attacks.

Remediation

1. Retire and replace all affected Zyxel DSL CPE devices — no firmware patch will be issued. This is the only permanent remediation.
2. If immediate replacement is not possible, disable remote management access (web and Telnet) from the internet-facing interface.
3. Change default credentials on all affected devices to strong, unique passwords to raise the bar for the authentication prerequisite.
4. Contact the ISP or upstream provider who deployed the equipment about accelerating hardware replacement under any end-of-life device replacement programs.
5. Place affected devices behind an additional firewall or segment them from sensitive internal systems while awaiting replacement.