CVE-2024-40891

What are Zyxel DSL CPE Devices?

Zyxel DSL customer premises equipment (CPE) are broadband routers and modems deployed by ISPs and small businesses for DSL internet access. These devices manage the DSL connection, provide NAT and routing, and expose management interfaces for configuration — including a Telnet management channel on many legacy models. The affected devices are end-of-life hardware still widely deployed in home and small-business environments. As network edge devices, compromised CPEs give attackers persistent presence on the local network and a launching point for further attacks.

Overview

CVE-2024-40891 is a post-authentication OS command injection vulnerability in the Telnet management interface of multiple legacy Zyxel DSL CPE devices. An attacker who can authenticate to the Telnet interface (commonly possible with default credentials) can inject shell commands into management command parameters, executing arbitrary OS commands on the device. This is the Telnet-interface companion to CVE-2024-40890 (CGI-based injection in the same devices). Both were added to the CISA KEV catalog simultaneously on February 11, 2025, reflecting active botnet exploitation. No patch will be issued — the devices are end-of-life.

Affected Versions

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The Telnet management interface on affected Zyxel DSL CPE devices accepts management commands that are executed by an underlying shell. When these commands are insufficiently sanitized, an authenticated attacker can append shell metacharacters to a management command argument, causing the device to execute injected OS commands with the privileges of the management process.

Because many legacy DSL CPEs retain default or weak credentials that have not been changed since ISP provisioning, the authentication prerequisite is often trivially satisfied. The Telnet attack surface is particularly exposed on devices where Telnet is enabled by default or where remote Telnet management is accessible from the WAN interface.

CVE-2024-40890 (CGI injection) and CVE-2024-40891 (Telnet injection) both exist in the same device lineup, addressing the same root cause via two different management interfaces. An attacker who can reach either interface can exploit the respective CVE.

Discovery

Reported to Zyxel alongside CVE-2024-40890. Zyxel published its security advisory on February 4, 2025, confirming end-of-life status and the absence of a patch.

Exploitation Context

Mirai-family botnet operators routinely scan for legacy network devices with default credentials and known command injection vulnerabilities, recruiting them as DDoS nodes. The simultaneous CISA KEV addition of CVE-2024-40890 and CVE-2024-40891 confirms active botnet recruitment of these Zyxel models via both their CGI and Telnet interfaces. ISP-deployed CPEs are particularly challenging to patch at scale, as updating customer-premises hardware typically requires ISP coordination — contributing to large populations of persistently vulnerable devices.

Remediation

1. Retire and replace all affected Zyxel DSL CPE devices — no firmware patch will be issued.
2. If immediate replacement is not possible, disable Telnet management completely on all affected devices.
3. Also disable or restrict the web management CGI interface (see CVE-2024-40890) — both attack surfaces should be closed.
4. Change all default credentials immediately; do not rely on default ISP-provisioned usernames and passwords.
5. Block external (WAN-side) access to the management interfaces via the device's own firewall rules or an upstream security appliance.
6. Contact the ISP about emergency CPE replacement programs for end-of-life hardware.