Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-11667
CVE-2024-11667:
NixOS vulnerability analysis and mitigation
Overview
A directory traversal vulnerability (CVE-2024-11667) was discovered in the web management interface of Zyxel firewall products. The vulnerability affects multiple Zyxel product lines including ATP series (firmware versions V5.00-V5.38), USG FLEX series (V5.00-V5.38), USG FLEX 50(W) series (V5.10-V5.38), and USG20(W)-VPN series (V5.10-V5.38). The vulnerability was disclosed on November 27, 2024, and allows attackers to download or upload files via crafted URLs (Zyxel Advisory, NVD).
Technical details
The vulnerability is classified as a directory traversal issue (CWE-22) that exists in the web management interface of affected Zyxel devices. It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST, while Zyxel Corporation assigned it a score of 7.5 (HIGH). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).
Impact
Successful exploitation of this vulnerability enables attackers to download or upload files through the web management interface using specially crafted URLs. This could potentially lead to unauthorized access to sensitive system files or allow malicious file uploads that could compromise the device (Zyxel Advisory).
Mitigation and workarounds
Zyxel has released firmware version 5.39 on September 3, 2024, which addresses this vulnerability. Organizations are strongly advised to immediately update their devices to the latest firmware version. If immediate updates are not possible, Zyxel recommends temporarily disabling remote access to affected devices until the firmware can be patched (Zyxel Advisory).
Community reactions
The vulnerability has gained significant attention from security researchers and government agencies. CISA has mandated Federal Civilian Executive Branch (FCEB) agencies to patch this vulnerability by December 24, 2024, highlighting its critical nature. Security firms including Censys and Sekoia have reported ongoing exploitation attempts (Hacker News).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management