Zyxel has issued a fresh warning on threat actors exploiting a recently patched command injection vulnerability in its firewalls after security firms have observed a ransomware group targeting the flaw for initial compromise.

The bug, tracked as CVE-2024-42057, could allow remote attackers to execute OS commands on vulnerable devices, without authentication.

Zyxel announced patches for this flaw and six other security defects on September 3, explaining that only devices configured in User-Based-PSK authentication mode on which a valid user with a long username exceeding 28 characters exists are affected.

Zyxel addressed these vulnerabilities with the release of firmware version 5.39 for ATP, USG FLEX, and USG FLEX 50(W)/USG20(W)-VPN series devices.

A month later, Zyxel EMEA warned that threat actors had been targeting firewalls running firmware iterations 4.32 to 5.38 to create rogue user accounts and gain access to networks via SSL VPN tunnels.

“The Zyxel EMEA team has been tracking the recent activity of threat actors targeting Zyxel security appliances that were previously subject to vulnerabilities. Since then, admin passwords have not been changed. Users are advised to update all administrators and all user accounts for optimal protection,” Zyxel EMEA said.

Last week, cybersecurity firm Sekoia warned about attacks launched by the Helldown ransomware group, which claimed 31 victims between August and October, including Zyxel’s European subsidiary.

At least eight Helldown victims, Sekoia said, were using Zyxel firewalls as IPSec VPN access points when they were hacked. The attackers likely targeted CVE-2024-42057 to compromise the Zyxel appliances running firmware version 5.38.

The cybersecurity firm observed the attackers creating on a vulnerable device a rogue account named OKSDW82A, which had previously been observed in a Helldown incident analyzed by Truesec.

“All of this evidence strongly suggests that Zyxel firewalls have been targeted by Helldown. Details about post-compromise activities indicate that, in at least one intrusion, the attacker’s tactics align with typical ransomware methods,” Sekoia noted.

Shortly after the report, Zyxel issued an advisory confirming that devices that had not been upgraded to firmware version 5.39 were targeted in malicious attacks.

“Zyxel is aware of recent attempts by threat actors to target Zyxel firewalls through previously disclosed vulnerabilities, as reported in Sekoia’s blog post. We confirm that the reported issues are not reproducible on firmware version 5.39, released on September 3, 2024,” Zyxel said.

Users are advised to upgrade to the patched firmware release as soon as possible, or to temporarily disable remote access to firewalls that cannot be patched immediately.

Related: 400,000 Systems Potentially Exposed to 2023’s Most Exploited Flaws

Related: Zyxel Patches Critical Vulnerabilities in Networking Devices

Related: Critical Flaw Exposes Many WiMAX Routers to Attacks

Related: Organizations Slow to Protect Doors Against Hackers: Researcher