Taiwanese hardware maker Zyxel has sparked controversy by announcing that it has no plans to release patches for two actively exploited vulnerabilities affecting thousands of its customers. The critical-rated zero-day vulnerabilities, tracked as CVE-2024-40890 and CVE-2024-40891, were discovered by threat intelligence organization VulnCheck in July last year and reported to Zyxel the following month.

According to GreyNoise, a threat intelligence startup, the flaws allow attackers to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. Despite this, Zyxel claims that the vulnerabilities only impact "legacy products that have reached end-of-life (EOL) for years" and therefore, it has no intention of releasing patches to fix them.

Instead, the company is advising customers to replace vulnerable routers with "newer-generation products for optimal protection." However, this move has been met with criticism, as the impacted devices are not listed on Zyxel's EOL page, and some of the affected models are still available for purchase through Amazon. This raises concerns about the continued use of these vulnerable devices worldwide, making them an attractive target for attackers.

Jacob Baines, CTO at VulnCheck, emphasized the relevance of these older systems, stating, "While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers." The significance of this issue is further underscored by Censys, a search engine for Internet of Things devices and Internet assets, which reports that almost 1,500 vulnerable devices remain exposed to the Internet.

GreyNoise has observed that detected botnets, including Mirai, are exploiting one of the Zyxel vulnerabilities, suggesting it is being used in large-scale attacks. This highlights the urgent need for a patch, which Zyxel's refusal to provide only exacerbates the situation. The company's decision has sparked concerns about the security of its customers, particularly given that its devices are used by over 1 million businesses worldwide.

Zyxel's response to the situation has been inadequate, with spokesperson Birgitte Larsen failing to respond to multiple requests for comment. The company's lack of transparency and accountability in addressing this critical security issue is a cause for concern and may lead to a loss of customer trust.

The implications of Zyxel's decision are far-reaching, and it remains to be seen how this will impact the company's reputation and customer base. In the meantime, it is essential for users of affected devices to take immediate action to protect themselves, including replacing vulnerable routers with newer, more secure models. The incident serves as a stark reminder of the importance of timely security patches and responsible vendor disclosure practices.