CVE-2024-42057

Name of the Vulnerable Software and Affected Versions Zyxel ATP series firmware versions from V4.32 through V5.38 Zyxel USG FLEX series firmware versions from V4.50 through V5.38 Zyxel USG FLEX 50(W) series firmware versions from V4.16 through V5.38 Zyxel USG20(W)-VPN series firmware versions from V4.16 through V5.38

Description A command injection vulnerability in the IPSec VPN feature could allow an unauthenticated attacker to execute some OS commands on an affected device by sending a crafted username to the vulnerable device. This attack could be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists. The Helldown ransomware group has been observed exploiting this vulnerability to gain access to systems, and it has been used to target various industries, including healthcare, energy, and transportation. The vulnerability has been exploited in the wild, and it is considered a high-severity threat.

Recommendations Update Zyxel ATP series firmware to version 5.39 or later Update Zyxel USG FLEX series firmware to version 5.39 or later Update Zyxel USG FLEX 50(W) series firmware to version 5.39 or later Update Zyxel USG20(W)-VPN series firmware to version 5.39 or later As a temporary workaround, consider disabling the IPSec VPN feature until a patch is available Restrict access to the IPSec VPN feature to minimize the risk of exploitation Avoid using long usernames exceeding 28 characters in the User-Based-PSK authentication mode until the issue is resolved