Warning: High-severity directory traversal vulnerability in web management interface of Zyxel ZLD firewalls actively exploited by ransomware actors, Patch Immediately!

Image
Decorative image
Veröffentlicht : 29/11/2024

Reference:
Advisory #2024-278

Version:
1.0

Affected software:
Zyxel ZLD firewall firmware versions 5.00 through 5.38

Type:
Directory traversal vulnerability

CVE/CVSS:
CVE-2024-11667 - 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Sources

Zyxel - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-11667

Risks

Zyxel firewalls are Next-Generation firewalls used by organizations for security protection.

A 7.5 high vulnerability exists in the web management interface of Zyxel ZLD firewalls.  If left unpatched, the affected devices are vulnerable to directory traversal attacks with possible high impact on confidentiality.

The vulnerability is known to be actively exploited by threat actors using the Helldown ransomware strain.

CVE-2024-11667 is fixed in the latest firmware update 5.39.

Description

CVE-2024-11667 is an 'Improper Limitation of a Pathname to a Restricted Directory' type vulnerability, also known as 'Path Traversal'. If exploited successfully, an attacker can download files via a crafted URL, but also upload malicious files.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

A firmware update to version 5.39 is available via the vendors website.  In the meantime, it is strongly recommended to disable remote access and change the administrator password.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Zyxel - https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure/p1?new=1