The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a path traversal vulnerability in multiple Zyxel firewall appliances to its KEV list, indicating exploitation in the wild.
The flaw, tracked as CVE-2024-11667, affects the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Successful exploitation could allow attackers to manipulate file uploads and downloads using crafted URLs, potentially leading to unauthorized system access, credential theft, and the creation of backdoor VPN connections.
Zyxel devices running ZLD firmware versions 4.32 to 5.38 with remote management or SSL VPN enabled are particularly vulnerable.
Zyxel initially disclosed the vulnerability on November 27 noting its active exploitation in the wild. The company said that its firmware version 5.39, released on September 3, 2024, mitigates CVE-2024-11667 and other known security flaws.
Last month, Germany’s CERT (CERT-Bund) disclosed incidents of organizational compromises despite the application of Zyxel’s patches. The breaches occurred because administrative passwords were not updated, or newly created accounts were not identified post-patch, highlighting the critical need for robust post-update security hygiene.
Of note, November’s Sekoia report highlights another Zyxel vulnerability (CVE-2024-42057) exploited in the Helldown ransomware attacks to compromise corporate systems.