CVE-2024-11667

What are Zyxel USG FLEX and ATP Firewalls?

Zyxel's USG FLEX and ATP (Advanced Threat Protection) firewall series are network security appliances deployed by small and medium businesses and branch offices as perimeter firewalls, VPN gateways, and SSL inspection devices. The ZLD (Zyxel Loader) firmware platform runs the management web interface used for configuration, monitoring, and firmware updates. These firewalls are internet-connected by design — their management interface and VPN termination endpoints face the WAN — making vulnerabilities in the management interface directly accessible to external attackers.

Overview

CVE-2024-11667 is a path traversal vulnerability in the web management interface of multiple Zyxel firewalls running ZLD firmware. An unauthenticated remote attacker can craft a URL that traverses outside the web root, enabling arbitrary file download or upload on the firewall's filesystem. Zyxel published a security advisory warning of active exploitation on November 21, 2024 — six days before the CVE was formally published — after observing the Helldown ransomware group exploiting the vulnerability to compromise firewalls and establish initial access into corporate networks. CISA added it to the KEV catalog on December 3, 2024 with a 21-day deadline.

Affected Versions

Technical Details

CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal). The ZLD web management interface fails to sanitize URL path components before resolving them to filesystem paths. An unauthenticated attacker can include ../ sequences or absolute path segments in the URL to navigate outside the web root directory and access arbitrary files on the firewall appliance. Both reading (download) and writing (upload) are exploitable, enabling:

• Download: Exfiltrate VPN configuration files, session tokens, and credentials stored on the appliance
• Upload: Write malicious files to the filesystem, potentially enabling persistent backdoor installation or overwriting legitimate system files

The Helldown ransomware group leveraged this vulnerability to steal VPN credentials from the firewall config files, then use those credentials for VPN-based lateral movement into the victim network.

Discovery

Zyxel became aware of active exploitation by November 21, 2024, publishing a preemptive advisory before formal CVE assignment. The Helldown ransomware group's use of this vulnerability was documented by security researchers tracking the group's campaign against European organizations.

Exploitation Context

Helldown is a relatively new ransomware group (first observed mid-2024) that targeted Zyxel firewalls specifically as an initial access vector. By exploiting CVE-2024-11667 to read VPN configuration and credential files from the firewall appliance, the group obtained valid VPN credentials without needing to brute-force or phish employees. These credentials enabled silent VPN connections that appeared legitimate, allowing Helldown operators to move laterally through the victim network before deploying ransomware. The pattern — using perimeter device vulnerabilities for credential theft rather than direct exploitation — is increasingly common among ransomware groups targeting SMBs.

Remediation

1. Upgrade affected Zyxel firewalls to ZLD 5.39 or later immediately.
2. After patching, rotate all VPN user credentials — treat all credentials on the appliance as potentially compromised.
3. Review VPN access logs for unexpected logins or connections from unfamiliar IP addresses in the period before patching.
4. Restrict management interface access to trusted internal IP addresses only — the ZLD web UI should not be accessible from the internet.
5. Audit active VPN sessions and revoke any that cannot be attributed to known legitimate users.
6. Check for unauthorized scheduled tasks, new user accounts, or modified firewall rules that may indicate post-exploitation persistence.