CVE-2024-11667
Published: 27 November 2024
Summary
CVE-2024-11667 is a high-severity Path Traversal (CWE-22) vulnerability in Zyxel Zld. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A directory traversal vulnerability tracked as CVE-2024-11667 affects the web management interface of multiple Zyxel firewall product lines, specifically ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38. The flaw, assigned CWE-22, permits an unauthenticated remote attacker to access or manipulate files on the device by supplying a crafted URL.
An attacker with network access to the management interface can exploit the issue without credentials or user interaction to download or upload arbitrary files. Successful exploitation yields high confidentiality impact, as reflected in the CVSS 7.5 score, and could enable further compromise of the affected firewall.
Zyxel has published a security advisory detailing the affected firmware ranges and recommended actions, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild use.
The EPSS score for this vulnerability rose from a low baseline to a peak of 0.4399, with a current value of 0.2894, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34151
Vulnerability details
A directory traversal vulnerability in the web management interface of Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions…
more
V5.10 through V5.38 could allow an attacker to download or upload files via a crafted URL.
- CWE(s)
- KEV Date Added
- 03 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directory traversal via crafted URLs is a direct failure of input validation on path parameters in the web management interface.
Zyxel’s recommended fix and CISA KEV listing both require prompt application of firmware updates that correct the path-handling flaw.
Proper access enforcement on the management interface would block unauthenticated file read/write operations even if a traversal string reaches the handler.