December 4, 2024 at 08:19AM
CISA warned of a high-severity vulnerability (CVE-2024-11667) in Zyxel firewall devices, exploited in the wild, allowing unauthorized file access. Zyxel issued patches, but users must change passwords for complete protection. CISA urges federal agencies to update their systems by December 24 and recommends all organizations to follow suit.
### Meeting Takeaways:
1. **Vulnerability Alert**: CISA has reported on a **path traversal vulnerability** (CVE-2024-11667) affecting various Zyxel firewall appliances, with a high-severity CVSS score of **7.5**. This flaw impacts the web management interface of **Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices**.
2. **Exploitation Risk**: Attackers exploiting this vulnerability could potentially **gain unauthorized access**, **steal credentials**, or **establish backdoor VPN connections**.
3. **Affected Devices**: The vulnerabilities are present in Zyxel firewalls operating in **on-premises mode** with **ZLD firmware versions 4.32 to 5.38**, specifically those with remote management or SSL VPN enabled.
4. **Firmware Updates**: Zyxel confirmed that **firewall firmware version 5.39**, released on **September 3, 2024**, and later versions are secure, having addressed this vulnerability and others.
5. **Security Recommendations**: Zyxel advises users to **update their firmware** and **change administrative passwords** to mitigate risks associated with the vulnerability and previously disclosed security defects.
6. **Previously Disclosed Attacks**: Following a warning on November 27, it’s noted that some organizations suffered breaches even after applying Zyxel’s patches, due to not changing admin passwords or checking for created accounts.
7. **CISA Advisories**: CISA included CVE-2024-11667 in its **Known Exploited Vulnerabilities (KEV)** catalog and is urging federal agencies to apply patches by **December 24, 2024**, in accordance with **BOD 22-01**.
8. **Other Vulnerabilities**: CISA also highlighted additional threats such as the exploitation of CVE-2023-45727 and CVE-2024-11680, urging organizations, not just federal agencies, to review the KEV list for applicable vulnerabilities.
9. **Related Reports**: The meeting referenced a Sekoia report on the exploitation of another Zyxel firewall vulnerability, CVE-2024-42057, demonstrating ongoing threats from ransomware attacks.
### Action Items:
– Ensure that all Zyxel firewalls are updated to firmware version 5.39 or later.
– Change administrative passwords and monitor for newly created accounts.
– Review the CISA KEV catalog and take action on any listed vulnerabilities affecting your organization.