PT-2024-8803 · Zyxel · Zyxel Usg Flex 50(W) Series+3
Published
2024-11-21
·
Updated
2026-05-02
·
CVE-2024-11667
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zyxel ATP series versions V5.00 through V5.38
Zyxel USG FLEX series versions V5.00 through V5.38
Zyxel USG FLEX 50(W) series versions V5.10 through V5.38
Zyxel USG20(W)-VPN series versions V5.10 through V5.38
Description
A directory traversal issue exists in the web management interface of Zyxel firewalls due to improper limitation of a pathname to a restricted directory. This flaw allows a remote attacker to download or upload files by using a crafted URL. This issue has been actively exploited in the wild, with reports of ransomware attackers from the Helldown group utilizing it.
Recommendations
Update firmware to version 5.39 for all affected series.
Disable remote access until devices are updated.
Restrict access to the web management interface to minimize the risk of exploitation.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zyxel Atp Series
Zyxel Usg Flex 50(W) Series
Zyxel Usg Flex Series
Zyxel Usg20(W)-Vpn Series