
ZYXEL, a Taiwanese hardware manufacturer, said there is no plans to disclose patches for two active vulnerabilities that have potentially influenced thousands of customers.
The threat intelligence startup Greynoise warned that the vulnerability of the zero day of critical grade, which affects the Zyxel router at the end of last month, is being actively used. Graynoise allows the attacker to run any command on an affected device, resulting in system compromise, data extraction or network penetration.
The vulnerability was found in July last year by the threat intelligence organization Vulncheck and was reported to ZYXEL next month, but according to Greynoise, it was not yet patched or officially disclosed by the manufacturer.
This week’s advisory ZYXEL said that “recent” recognized two vulnerabilities that were officially tracked in CVE-2024-40890 and CVE-20124-40891.
The company insisted that the flaw was not reported by Vulncheck, and said it was first learned on January 29, the day after Greynoise reported actively.
Zyxel, which uses devices in more than a million people, says there is no plans to disclose the patch to be fixed because these bugs affect “Legacy products that have reached EOL for many years.” Instead, the company advises customers to replace the routers vulnerable to the “new generation of products for optimal protection.”
Vulncheck on Tuesday blog posts that the affected device is not listed on the Zyxel’s EOL page, and some of the models affected can be purchased through Amazon, TechCrunch said.
Jacob Baines, CTO of Vulncheck, said, “These systems are older and not longer, but they are very relevant because of continuous use worldwide and continuous interest in the attackers.
According to Censys, almost 1,500 vulnerable devices are exposed to the Internet, according to a search engine for Internet of Things and Internet assets.
In last week’s update, Greynoise observes the detected botnet, including Mirai, suggests that it is used for large -scale attacks by exploiting one of the Zyxel vulnerabilities.
Zyxel spokesman Birgitte Larsen did not respond to various requests from TechCrunch.









