There will be no patches for EOL Zyxel routers under attack via CVE-2024-40891, the company has confirmed. Meanwhile, Netgear has issued patches for critical flaws affecting its routers and wireless access points.
Zyxel vulnerability: Exploited, no patches
CVE-2024-40891, a command injection vulnerability in Zyxel CPE Series telecommunications devices that has been known since July 2024 and is currently being exploited by attackers, will not be patched by the manufacturer since the affected devices “are legacy products that have reached end-of-life (EOL) for years.”
The affected models are VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500.
After the public disclosure of active exploitation, it took Zyxel a whole week to publicly confirm that there won’t be a patch, and advise users to replace the devices with newer-generation products.
“If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support,” they company said.
In what seems like an attempt to deflect responsibility for the slow reaction, Zyxel claims that VulnCheck did not share details about this and two other vulnerabilities – another command injection (CVE-2024-40890) and default credentials (CVE-2025-0890) – when they reported them.
VulnCheck researcher Jacob Baines finally published the details about the three flaws on Monday, and noted that while they have been informed that the affected routers are end-of-life, they are not listed on Zyxel’s EOL page.
“Despite this, both FOFA and Censys identify approximately 1,500 affected systems with internet-facing Telnet interfaces. Additionally, some of these models are still available for purchase through Amazon,” he said.
“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers. The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.”
Netgear vulnerabilities: Not exploited, patches available
Netgear has released fixes for two critical remotely exploitable vulnerabilities in its wireless access points and Nighthawk WiFi Pro Gaming router models.
Currently without a CVE number and technical details available, the two vulnerabilities may allow attackers to achieve:
There’s no mention of the vulnerabilities being actively exploited. Nevertheless, the company “strongly recommends” downloading the latest firmware as soon as possible.