The US cybersecurity agency CISA on Tuesday warned that a path traversal vulnerability in multiple Zyxel firewall appliances has been exploited in the wild.
The issue, tracked as CVE-2024-11667 (CVSS score of 7.5), is a high-severity flaw affecting the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices.
Successful exploitation of the security defect could allow an attacker to download or upload files using crafted URLs, a NIST advisory reads.
“An attacker may gain unauthorized access to the system, steal credentials, and create backdoor VPN connections by exploiting the vulnerability,” Qualys warned on Tuesday.
Zyxel ATP and USG FLEX series firewalls in on-premises mode and devices running ZLD firmware versions 4.32 to 5.38 that have remote management or SSL VPN enabled are affected.
On November 27, just ahead of Thanksgiving, Zyxel warned of the vulnerability being exploited in the wild by updating its advisory on previously disclosed attacks targeting its firewalls.
“We confirm that firewall firmware version 5.39, released on September 3, 2024, and later versions are immune to the exploitation, as we have addressed all known vulnerabilities, including CVE-2024-11667, and performed a series of security enhancements in version 5.39,” the updated advisory reads.
The advisory references a Sekoia report on the exploitation of another Zyxel firewall vulnerability, tracked as CVE-2024-42057, in Helldown ransomware attacks. Patches for CVE-2024-42057 and six other security defects were released on September 3.
Advertisement. Scroll to continue reading.
“To safeguard devices, we have strongly urged users to update their firmware and change admin passwords. These updates are critical to mitigating the risk of threat actors exploiting previously disclosed vulnerabilities in Zyxel security appliances,” Zyxel warns in its updated advisory.
On November 22, CERT Germany (CERT-Bund) revealed that some organizations were compromised after applying Zyxel’s patches without changing administrative passwords or checking for newly created accounts.
“Further investigations have now revealed that updating the affected devices alone was not sufficient to permanently prevent compromise. Instead, the attackers can use created accounts to penetrate the networks,” reads a translation of CERT-Bund’s advisory (PDF).
On December 3, CISA added CVE-2024-11667 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the available patches by December 24, in line with Binding Operational Directive (BOD) 22-01.
The agency also warned of the in-the-wild exploitation of CVE-2023-45727, a Proself email security and data sanitization appliances vulnerability, and CVE-2024-11680, a bug in open source application ProjectSend.
Additionally, CISA urged users and administrators to review Palo Alto Networks’ advisories on CVE-2024-0012 and CVE-2024-9474, two zero-days exploited in Operation Lunar Peek that led to the compromise of many firewalls.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and prioritize mitigating the included security defects.
Related: Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways
Related: New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products
Related: Outside the Comfort Zone: Why a Change in Mindset Is Crucial for Better Network Security
Related: Cutting Through the Noise: What is Zero Trust Security?