www.belgium.be Logo of the federal government

Warning: High-severity directory traversal vulnerability in web management interface of Zyxel ZLD firewalls actively exploited by ransomware actors, Patch Immediately!

Référence: 
Advisory #2024-278
Version: 
1.0
Logiciels concernés : 
Zyxel ZLD firewall firmware versions 5.00 through 5.38
Type: 
Directory traversal vulnerability
CVE/CVSS: 

CVE-2024-11667 - 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Sources

Zyxel - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-11667

Risques

Zyxel firewalls are Next-Generation firewalls used by organizations for security protection.

A 7.5 high vulnerability exists in the web management interface of Zyxel ZLD firewalls.  If left unpatched, the affected devices are vulnerable to directory traversal attacks with possible high impact on confidentiality.

The vulnerability is known to be actively exploited by threat actors using the Helldown ransomware strain.

CVE-2024-11667 is fixed in the latest firmware update 5.39.

Description

CVE-2024-11667 is an 'Improper Limitation of a Pathname to a Restricted Directory' type vulnerability, also known as 'Path Traversal'. If exploited successfully, an attacker can download files via a crafted URL, but also upload malicious files.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

A firmware update to version 5.39 is available via the vendors website.  In the meantime, it is strongly recommended to disable remote access and change the administrator password.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

Zyxel - https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure/p1?new=1