www.belgium.be Logo of the federal government

Warning: High-severity directory traversal vulnerability in web management interface of Zyxel ZLD firewalls actively exploited by ransomware actors, Patch Immediately!

Referentie: 
Advisory #2024-278
Versie: 
1.0
Geïmpacteerde software: 
Zyxel ZLD firewall firmware versions 5.00 through 5.38
Type: 
Directory traversal vulnerability
CVE/CVSS: 

CVE-2024-11667 - 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Bronnen

Zyxel - https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-protecting-against-recent-firewall-threats-11-27-2024

NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-11667

Risico’s

Zyxel firewalls are Next-Generation firewalls used by organizations for security protection.

A 7.5 high vulnerability exists in the web management interface of Zyxel ZLD firewalls.  If left unpatched, the affected devices are vulnerable to directory traversal attacks with possible high impact on confidentiality.

The vulnerability is known to be actively exploited by threat actors using the Helldown ransomware strain.

CVE-2024-11667 is fixed in the latest firmware update 5.39.

Beschrijving

CVE-2024-11667 is an 'Improper Limitation of a Pathname to a Restricted Directory' type vulnerability, also known as 'Path Traversal'. If exploited successfully, an attacker can download files via a crafted URL, but also upload malicious files.

Aanbevolen acties

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

A firmware update to version 5.39 is available via the vendors website.  In the meantime, it is strongly recommended to disable remote access and change the administrator password.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Referenties

Zyxel - https://community.zyxel.com/en/discussion/10920/best-practices-to-secure-a-distributed-network-infrastructure/p1?new=1