December 5 2024: A vulnerability in multiple Zyxel firewall appliances is being exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities Catalog. The vulnerability is tracked as CVE-2024-11667. Affected Zyxel products include: ATP, USG FLEX 50 and USG20(W) series’ firmware for versions V5.00 through V5.38.
Federal agencies are being urged by CISA to apply available patches by Dec. 24.
Impact of Zyxel Firewall Vulnerability
The Zyzel firewall vulnerability carries a CVSS score of 7.5/10 and is considered a high-severity flaw that allows cyber threat actors to download and upload files through a crafted URL.
Exploiting this vulnerability can allow cyber threat actors to compromise the device’s security to steal credentials and deliver malicious activities such as unauthorized and unknown VPN connections and modifying security policies within the system.
On November 27, 2024, Zyxel warned that the vulnerability is being exploited in the wild and it has been reported that the vulnerability has been leveraged by cyber threat actors to deploy Helldown Ransomware, a derivative of Lockbit.
Patching and Mitigating Zyxel Firewall Vulnerability
Zyxel updated its original advisory for the vulnerability and performed a series of security enhancements to version 5.39. All versions prior to 5.39 are impacted.
Systems that have been patched could remain vulnerable if cyber threat actors are able to gain access through unchanged administrator credentials that have been stolen through the vulnerability.
All Zyxel users of these series of products should immediately update their device to the most recent firmware version.
Zyxel also recommends that remote access be disabled until the firmware is patched.
Administrator credentials should also be changed in case they were compromised before patching systems.
CISA urges federal agencies to apply the available patches no later than Dec. 24.
Cybersecurity Solutions
Patching all third-party software as soon as a safe version is available is a critical part of your organization’s cyber posture and should be part of your written cyber policies.
It is possible that your network was already compromised through these vulnerabilities before applying the latest security patch, which is why updating credentials in wake of a known vulnerability is always recommended regardless if they have been compromised.
When any vulnerabilities are known or exploited by any devices or software used on your network, a cybersecurity risk assessment is also recommended to get help determining vulnerabilities in your network and get actionable recommendations based on real data captured from your network through our assessment, including immediate remediation options. Regular cybersecurity risk assessments should be part of your organization’s cybersecurity policy.
SecuLore CyberSight™ provides management of your attack surface and monitoring through our patented technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers)
Other Alerts
Cyber-Protecting Our Nation’s Critical Infrastructure
At SecuLore, our mission is to cyber-protect our nation’s critical infrastructure. Led by experts in 9-1-1 technology, cyberwarfare, and ethical hacking, our team provides the technology, expertise, and training needed to defend customers from increasingly sophisticated cyber threats.