Taiwanese hardware manufacturer Zyxel has confirmed it will not release security patches for two critical vulnerabilities currently being exploited in the wild. The flaws, designated CVE-2024-40890 and CVE-2024-40891, place thousands of legacy routers at risk of full system compromise, data theft, and unauthorized network infiltration.
Active Exploitation and Zero-Day Threats
The security crisis began late last month when threat intelligence firm GreyNoise issued a warning regarding the active exploitation of a zero-day vulnerability. These flaws allow malicious actors to execute arbitrary commands on target devices, effectively granting them total control over the hardware.
While the threat was identified and reported by VulnCheck in July 2023, Zyxel maintains it only became aware of the issues on January 29, 2025—one day after public reports surfaced. The company officially addressed the situation in a recent security advisory.
End-of-Life Status vs. Real-World Risk
Zyxel, whose technology powers over 1 million businesses globally, argues that the affected models are “end-of-life” (EOL) products. Consequently, the manufacturer has explicitly refused to provide updates, instead urging users to purchase newer hardware for “optimal protection.”
However, this stance has drawn criticism from security researchers. In a technical breakdown, VulnCheck highlighted that many of these devices are not clearly listed as EOL on Zyxel’s official portal and remain available for purchase on platforms like Amazon.
“While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers,” stated Jacob Baines, CTO at VulnCheck.
The Scale of the Vulnerability
Data from Censys indicates that nearly 1,500 vulnerable devices are currently exposed directly to the internet. GreyNoise has confirmed that the vulnerabilities are already being integrated into large-scale botnet campaigns, including the notorious Mirai strain, signaling a high risk for organizations still relying on this equipment.