Cyber Security researchers warn that important zero -day vulnerabilities that affect the Zyxel CPE series device are watching wild and positive exploitation.
“The attacker may execute any command on a device affected by this vulnerabilities, and may lead to complete systems, data removal, or network penetration.” Was described in an alert released on Tuesday.
The vulnerability in question is CVE-2024-40891, which is an important command injection vulnerability that has no public disclosure or patch. The existence of the bug was first reported by Vulncheck in July 2024.
The statistics collected by threat intelligence companies indicate that there are dozens of IP addresses of attacks and most of them are in Taiwan. According to Censys, there are more than 1,500 vulnerable devices online.
“CVE-2024-40891 is very similar to CVE-2024-40890, the main difference is that the former is Telnet-based and the latter is HTTP-based,” said GreyNoise. “Either vulnerability allows unrecognized attackers to use a service account to execute any command.”
Vulncheck told Hacker News that it is working through the disclosure process with a Taiwanese company. We contacted Zyxel for further comments, and if we reply, we will update the story.
In the past, it is recommended that users filter the abnormal HTTP request traffic to the Zyxel CPE management interface and limit access to the reliable IP management interface.
This development reported that ARCTIC WOLF reported the campaign on January 22, 2025, and was accompanied by the acquisition of unauthorized access to devices that are executing SimpleHelp Remote Desktop software as the initial access vector.
It is unknown whether the attack is now related to the exploitation of recently disclosed security defects (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728). Upload any file with the administrator user.
“The first sign of a compromise was a communication to the SimpleHelp Server instance, which was not approved by the client process,” said security researchers Andres Ramos. “The threat activity also includes the list of accounts and domain information through the CMD.EXE process that started through the Simplehelp session using tools such as the Internet and NLTEST. Session before the attack progresses. Before the end, the threat actor was not observed for the purpose.
The organization strongly recommends updating the SimpleHelp instance to the latest fixed version to ensure potential threats.
update
The company said that there is a clear sign that threat stakeholders are trying to utilize large amounts of vulnerabilities. In addition, some Mirai Botnet Validates have identified the “significant overlap between IP and MIRAI using CVE-2024-40891” and then abuse CVE-2024-40891. I pointed out that it has already been added.
Source link
