4 December 2024

Vulnerability in Zyxel firewalls exploited in the wild


Vulnerability in Zyxel firewalls exploited in the wild

The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a path traversal vulnerability in multiple Zyxel firewall appliances to its KEV list, indicating exploitation in the wild.

The flaw, tracked as CVE-2024-11667, affects the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Successful exploitation could allow attackers to manipulate file uploads and downloads using crafted URLs, potentially leading to unauthorized system access, credential theft, and the creation of backdoor VPN connections.

Zyxel devices running ZLD firmware versions 4.32 to 5.38 with remote management or SSL VPN enabled are particularly vulnerable.

Zyxel initially disclosed the vulnerability on November 27 noting its active exploitation in the wild. The company said that its firmware version 5.39, released on September 3, 2024, mitigates CVE-2024-11667 and other known security flaws.

Last month, Germany’s CERT (CERT-Bund) disclosed incidents of organizational compromises despite the application of Zyxel’s patches. The breaches occurred because administrative passwords were not updated, or newly created accounts were not identified post-patch, highlighting the critical need for robust post-update security hygiene.

Of note, November’s Sekoia report highlights another Zyxel vulnerability (CVE-2024-42057) exploited in the Helldown ransomware attacks to compromise corporate systems.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025