CVE-2024-11667: Critical Vulnerability in Zyxel Firewalls Actively Exploited

CERT Germany (CERT-Bund) and Zyxel have warned of actively exploiting a critical vulnerability in Zyxel firewalls. This vulnerability tracked as CVE-2024-11667, is being leveraged to deploy Helldown ransomware, with initial reports indicating at least five German entities have been compromised.

CVE-2024-11667 is a directory traversal vulnerability in Zyxel’s ZLD firmware versions 5.00 through 5.38. Successful exploitation allows attackers to perform unauthorized file uploads and downloads via specially crafted URLs. This can lead to the compromise of sensitive information, including system credentials, enabling further malicious activities such as the establishment of rogue VPN connections and modification of firewall security policies.

The affected devices include:

• Zyxel ATP and USG FLEX series firewalls operating in on-premise mode.
• Devices running ZLD firmware versions 4.32 to 5.38 with remote management or SSL VPN enabled.

It is crucial to note that devices utilizing Nebula cloud management mode are not affected by this vulnerability.

Helldown ransomware, first observed in August 2024, appears to be a variant derived from the LockBit ransomware builder. This sophisticated ransomware exhibits advanced tactics, including lateral movement within compromised networks, to maximize its impact. Disturbingly, evidence suggests that even systems patched against CVE-2024-11667 may remain vulnerable if user credentials have not been updated since the initial compromise.

To mitigate this critical threat, Zyxel has released ZLD firmware version 5.39, which addresses CVE-2024-11667. However, CERT-Bund and Zyxel strongly emphasize that patching alone is not sufficient. Organizations are urged to implement the following security measures:

• Immediate password reset for all user accounts: This is paramount to prevent attackers from maintaining persistence within potentially compromised systems.
• Enhanced network monitoring: Implement robust network monitoring to detect any anomalous activity, such as unusual login attempts, data exfiltration, or unauthorized network connections.
• Disable non-essential services: Disable remote management and SSL VPN functionalities if they are not critical to business operations.
• Regular data backups: Maintain offline backups of critical data to ensure business continuity in the event of a ransomware attack.

Related Posts:

• Zyxel Devices Targeted by Malicious Actors: Urgent Firmware Update Required
• CVE-2024-42057: Exploited by Helldown Ransomware to Target Linux
• CVE-2023-33009 & CVE-2023-33010: Two Actively Exploited Zyxel Vulnerabilities
• Zyxel Security Vulnerabilities: DoS, Command Injection & More