Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

A second vulnerability in Zyxel firewalls has been exploited in Helldown ransomware attacks over the past weeks.

The US cybersecurity agency CISA on Tuesday warned that a path traversal vulnerability in multiple Zyxel firewall appliances has been exploited in the wild.

The issue, tracked as CVE-2024-11667 (CVSS score of 7.5), is a high-severity flaw affecting the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices.

Successful exploitation of the security defect could allow an attacker to download or upload files using crafted URLs, a NIST advisory reads.

“An attacker may gain unauthorized access to the system, steal credentials, and create backdoor VPN connections by exploiting the vulnerability,” Qualys warned on Tuesday.

Zyxel ATP and USG FLEX series firewalls in on-premises mode and devices running ZLD firmware versions 4.32 to 5.38 that have remote management or SSL VPN enabled are affected.

On November 27, just ahead of Thanksgiving, Zyxel warned of the vulnerability being exploited in the wild by updating its advisory on previously disclosed attacks targeting its firewalls.

“We confirm that firewall firmware version 5.39, released on September 3, 2024, and later versions are immune to the exploitation, as we have addressed all known vulnerabilities, including CVE-2024-11667, and performed a series of security enhancements in version 5.39,” the updated advisory reads.

The advisory references a Sekoia report on the exploitation of another Zyxel firewall vulnerability, tracked as CVE-2024-42057, in Helldown ransomware attacks. Patches for CVE-2024-42057 and six other security defects were released on September 3.

Advertisement. Scroll to continue reading.

“To safeguard devices, we have strongly urged users to update their firmware and change admin passwords. These updates are critical to mitigating the risk of threat actors exploiting previously disclosed vulnerabilities in Zyxel security appliances,” Zyxel warns in its updated advisory.

On November 22, CERT Germany (CERT-Bund) revealed that some organizations were compromised after applying Zyxel’s patches without changing administrative passwords or checking for newly created accounts.

“Further investigations have now revealed that updating the affected devices alone was not sufficient to permanently prevent compromise. Instead, the attackers can use created accounts to penetrate the networks,” reads a translation of CERT-Bund’s advisory (PDF).

On December 3, CISA added CVE-2024-11667 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the available patches by December 24, in line with Binding Operational Directive (BOD) 22-01.

The agency also warned of the in-the-wild exploitation of CVE-2023-45727, a Proself email security and data sanitization appliances vulnerability, and CVE-2024-11680, a bug in open source application ProjectSend.

Additionally, CISA urged users and administrators to review Palo Alto Networks’ advisories on CVE-2024-0012 and CVE-2024-9474, two zero-days exploited in Operation Lunar Peek that led to the compromise of many firewalls.

While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and prioritize mitigating the included security defects.

Related: Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways

Related: New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products

Related: Outside the Comfort Zone: Why a Change in Mindset Is Crucial for Better Network Security

Related: Cutting Through the Noise: What is Zero Trust Security?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.